asyncrat | 558909412427b05911a02cddfe00fc5e9d30bc38e1ba636d04aa7efb63438ec8

Analysis

max time kernel
1800s
max time network
1796s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
23-11-2024 03:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Project Buu/Dependencies/Dependencies.exe
Size

63KB
MD5

97be07e4d8fa640d71aa049385d8bcc2
SHA1

cd21b0a98183abe177ce6b1a857f9b4166100b4d
SHA256

df4e19980ecdf58f0a6562bad1e4929e30e21f4b3633f9f33ad4b86a5406ee31
SHA512

23e6b9ea22b2dead07d5b6baf076afcf747e8ba02df9afbc81ca3011f91035cf6d385c5a9dd5ae63fe6f95010ab928379baf4d55cbb04c4bbdcf246689e52cd4
SSDEEP

768:b2yVjLFj7778BIC8A+XkaazcBRL5JTk1+T4KSBGHmDbD/ph0oX2f2/F5qVKGVxSD:jJ7TPdSJYUbdh9GMMKGOuodpqKmY7

Score

10^/10

asyncrat stealerium default collection discovery evasion execution persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

asyncrat

Botnet

Default

79.110.49.58:3232

Attributes

delay
1
install
true
install_file
Windows Security .exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Modifies Windows Defender Real-time Protection settings 3 TTPs 3 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

Windows Security .exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Windows Security .exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Windows Security .exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Windows Security .exe

Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
Stealerium family
stealerium

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

Windows Security .exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	Windows Security .exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	Windows Security .exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0"	Windows Security .exe

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Windows Security .exe	family_asyncrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Dependencies.exeWindows Security .exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	Dependencies.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	Windows Security .exe

Executes dropped EXE 1 IoCs

Processes:

Windows Security .exe

pid process

2640 Windows Security .exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
2640	Windows Security .exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Windows Security .exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Windows Security .exe
Key opened	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Windows Security .exe
Key opened	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Windows Security .exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Windows Security .exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua	Windows Security .exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	Windows Security .exe

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3364	powershell.exe
836	powershell.exe
5064	powershell.exe
4812	powershell.exe
1716	powershell.exe
828	powershell.exe
656	powershell.exe
2788	powershell.exe
3712	powershell.exe
2224	powershell.exe
4292	powershell.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

47 icanhazip.com
49 ip-api.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
47	icanhazip.com
49	ip-api.com

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
discovery

Wi-Fi Discovery
T1016.002

Processes:

cmd.exenetsh.exe

pid process

3844 cmd.exe
1468 netsh.exe

pid	process
3844	cmd.exe
1468	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Windows Security .exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Windows Security .exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Windows Security .exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4644 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

3880 schtasks.exe

pid	process
4644	timeout.exe

pid	process
3880	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Dependencies.exeWindows Security .exe

pid	process
4268	Dependencies.exe
4268	Dependencies.exe
4268	Dependencies.exe
4268	Dependencies.exe
4268	Dependencies.exe
4268	Dependencies.exe
4268	Dependencies.exe
4268	Dependencies.exe
4268	Dependencies.exe
4268	Dependencies.exe
4268	Dependencies.exe
4268	Dependencies.exe
4268	Dependencies.exe
4268	Dependencies.exe
4268	Dependencies.exe
4268	Dependencies.exe
4268	Dependencies.exe
4268	Dependencies.exe
4268	Dependencies.exe
4268	Dependencies.exe
4268	Dependencies.exe
4268	Dependencies.exe
4268	Dependencies.exe
4268	Dependencies.exe
4268	Dependencies.exe
2640	Windows Security .exe
2640	Windows Security .exe
2640	Windows Security .exe
2640	Windows Security .exe
2640	Windows Security .exe
2640	Windows Security .exe
2640	Windows Security .exe
2640	Windows Security .exe
2640	Windows Security .exe
2640	Windows Security .exe
2640	Windows Security .exe
2640	Windows Security .exe
2640	Windows Security .exe
2640	Windows Security .exe
2640	Windows Security .exe
2640	Windows Security .exe
2640	Windows Security .exe
2640	Windows Security .exe
2640	Windows Security .exe
2640	Windows Security .exe
2640	Windows Security .exe
2640	Windows Security .exe
2640	Windows Security .exe
2640	Windows Security .exe
2640	Windows Security .exe
2640	Windows Security .exe
2640	Windows Security .exe
2640	Windows Security .exe
2640	Windows Security .exe
2640	Windows Security .exe
2640	Windows Security .exe
2640	Windows Security .exe
2640	Windows Security .exe
2640	Windows Security .exe
2640	Windows Security .exe
2640	Windows Security .exe
2640	Windows Security .exe
2640	Windows Security .exe
2640	Windows Security .exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Windows Security .exe

pid process

2640 Windows Security .exe

pid	process
2640	Windows Security .exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Dependencies.exeWindows Security .exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4268	Dependencies.exe
Token: SeDebugPrivilege	2640	Windows Security .exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeIncreaseQuotaPrivilege	2104	powershell.exe
Token: SeSecurityPrivilege	2104	powershell.exe
Token: SeTakeOwnershipPrivilege	2104	powershell.exe
Token: SeLoadDriverPrivilege	2104	powershell.exe
Token: SeSystemProfilePrivilege	2104	powershell.exe
Token: SeSystemtimePrivilege	2104	powershell.exe
Token: SeProfSingleProcessPrivilege	2104	powershell.exe
Token: SeIncBasePriorityPrivilege	2104	powershell.exe
Token: SeCreatePagefilePrivilege	2104	powershell.exe
Token: SeBackupPrivilege	2104	powershell.exe
Token: SeRestorePrivilege	2104	powershell.exe
Token: SeShutdownPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeSystemEnvironmentPrivilege	2104	powershell.exe
Token: SeRemoteShutdownPrivilege	2104	powershell.exe
Token: SeUndockPrivilege	2104	powershell.exe
Token: SeManageVolumePrivilege	2104	powershell.exe
Token: 33	2104	powershell.exe
Token: 34	2104	powershell.exe
Token: 35	2104	powershell.exe
Token: 36	2104	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	3712	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	4292	powershell.exe
Token: SeDebugPrivilege	5064	powershell.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	4812	powershell.exe
Token: SeDebugPrivilege	828	powershell.exe
Token: SeIncreaseQuotaPrivilege	2788	powershell.exe
Token: SeSecurityPrivilege	2788	powershell.exe
Token: SeTakeOwnershipPrivilege	2788	powershell.exe
Token: SeLoadDriverPrivilege	2788	powershell.exe
Token: SeSystemProfilePrivilege	2788	powershell.exe
Token: SeSystemtimePrivilege	2788	powershell.exe
Token: SeProfSingleProcessPrivilege	2788	powershell.exe
Token: SeIncBasePriorityPrivilege	2788	powershell.exe
Token: SeCreatePagefilePrivilege	2788	powershell.exe
Token: SeBackupPrivilege	2788	powershell.exe
Token: SeRestorePrivilege	2788	powershell.exe
Token: SeShutdownPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeSystemEnvironmentPrivilege	2788	powershell.exe
Token: SeRemoteShutdownPrivilege	2788	powershell.exe
Token: SeUndockPrivilege	2788	powershell.exe
Token: SeManageVolumePrivilege	2788	powershell.exe
Token: 33	2788	powershell.exe
Token: 34	2788	powershell.exe
Token: 35	2788	powershell.exe
Token: 36	2788	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	656	powershell.exe
Token: SeDebugPrivilege	3364	powershell.exe
Token: SeIncreaseQuotaPrivilege	4292	powershell.exe
Token: SeSecurityPrivilege	4292	powershell.exe
Token: SeTakeOwnershipPrivilege	4292	powershell.exe
Token: SeLoadDriverPrivilege	4292	powershell.exe
Token: SeSystemProfilePrivilege	4292	powershell.exe
Token: SeSystemtimePrivilege	4292	powershell.exe
Token: SeProfSingleProcessPrivilege	4292	powershell.exe
Token: SeIncBasePriorityPrivilege	4292	powershell.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

Dependencies.execmd.execmd.exeWindows Security .execmd.execmd.exe

description	pid	process	target process
PID 4268 wrote to memory of 2972	4268	Dependencies.exe	cmd.exe
PID 4268 wrote to memory of 2972	4268	Dependencies.exe	cmd.exe
PID 4268 wrote to memory of 1280	4268	Dependencies.exe	cmd.exe
PID 4268 wrote to memory of 1280	4268	Dependencies.exe	cmd.exe
PID 2972 wrote to memory of 3880	2972	cmd.exe	schtasks.exe
PID 2972 wrote to memory of 3880	2972	cmd.exe	schtasks.exe
PID 1280 wrote to memory of 4644	1280	cmd.exe	timeout.exe
PID 1280 wrote to memory of 4644	1280	cmd.exe	timeout.exe
PID 1280 wrote to memory of 2640	1280	cmd.exe	Windows Security .exe
PID 1280 wrote to memory of 2640	1280	cmd.exe	Windows Security .exe
PID 2640 wrote to memory of 2104	2640	Windows Security .exe	powershell.exe
PID 2640 wrote to memory of 2104	2640	Windows Security .exe	powershell.exe
PID 2640 wrote to memory of 2788	2640	Windows Security .exe	powershell.exe
PID 2640 wrote to memory of 2788	2640	Windows Security .exe	powershell.exe
PID 2640 wrote to memory of 3712	2640	Windows Security .exe	powershell.exe
PID 2640 wrote to memory of 3712	2640	Windows Security .exe	powershell.exe
PID 2640 wrote to memory of 2224	2640	Windows Security .exe	powershell.exe
PID 2640 wrote to memory of 2224	2640	Windows Security .exe	powershell.exe
PID 2640 wrote to memory of 4292	2640	Windows Security .exe	powershell.exe
PID 2640 wrote to memory of 4292	2640	Windows Security .exe	powershell.exe
PID 2640 wrote to memory of 836	2640	Windows Security .exe	powershell.exe
PID 2640 wrote to memory of 836	2640	Windows Security .exe	powershell.exe
PID 2640 wrote to memory of 5064	2640	Windows Security .exe	powershell.exe
PID 2640 wrote to memory of 5064	2640	Windows Security .exe	powershell.exe
PID 2640 wrote to memory of 4812	2640	Windows Security .exe	powershell.exe
PID 2640 wrote to memory of 4812	2640	Windows Security .exe	powershell.exe
PID 2640 wrote to memory of 828	2640	Windows Security .exe	powershell.exe
PID 2640 wrote to memory of 828	2640	Windows Security .exe	powershell.exe
PID 2640 wrote to memory of 656	2640	Windows Security .exe	powershell.exe
PID 2640 wrote to memory of 656	2640	Windows Security .exe	powershell.exe
PID 2640 wrote to memory of 1716	2640	Windows Security .exe	powershell.exe
PID 2640 wrote to memory of 1716	2640	Windows Security .exe	powershell.exe
PID 2640 wrote to memory of 3364	2640	Windows Security .exe	powershell.exe
PID 2640 wrote to memory of 3364	2640	Windows Security .exe	powershell.exe
PID 2640 wrote to memory of 2496	2640	Windows Security .exe	powershell.exe
PID 2640 wrote to memory of 2496	2640	Windows Security .exe	powershell.exe
PID 2640 wrote to memory of 3844	2640	Windows Security .exe	cmd.exe
PID 2640 wrote to memory of 3844	2640	Windows Security .exe	cmd.exe
PID 3844 wrote to memory of 3936	3844	cmd.exe	chcp.com
PID 3844 wrote to memory of 3936	3844	cmd.exe	chcp.com
PID 3844 wrote to memory of 1468	3844	cmd.exe	netsh.exe
PID 3844 wrote to memory of 1468	3844	cmd.exe	netsh.exe
PID 3844 wrote to memory of 3320	3844	cmd.exe	findstr.exe
PID 3844 wrote to memory of 3320	3844	cmd.exe	findstr.exe
PID 2640 wrote to memory of 4740	2640	Windows Security .exe	cmd.exe
PID 2640 wrote to memory of 4740	2640	Windows Security .exe	cmd.exe
PID 4740 wrote to memory of 2772	4740	cmd.exe	chcp.com
PID 4740 wrote to memory of 2772	4740	cmd.exe	chcp.com
PID 4740 wrote to memory of 3700	4740	cmd.exe	netsh.exe
PID 4740 wrote to memory of 3700	4740	cmd.exe	netsh.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

Windows Security .exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	Windows Security .exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0"	Windows Security .exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	Windows Security .exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

Windows Security .exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Windows Security .exe

outlook_win_path 1 IoCs

Processes:

Windows Security .exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Windows Security .exe

C:\Users\Admin\AppData\Local\Temp\Project Buu\Dependencies\Dependencies.exe
"C:\Users\Admin\AppData\Local\Temp\Project Buu\Dependencies\Dependencies.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Security " /tr '"C:\Users\Admin\AppData\Roaming\Windows Security .exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "Windows Security " /tr '"C:\Users\Admin\AppData\Roaming\Windows Security .exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp731D.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4644
- - C:\Users\Admin\AppData\Roaming\Windows Security .exe
    "C:\Users\Admin\AppData\Roaming\Windows Security .exe"
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Checks whether UAC is enabled
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    - outlook_office_path
    - outlook_win_path
    PID:2640
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2104
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2788
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3712
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2224
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4292
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:836
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:5064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4812
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:828
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:656
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1716
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3364
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add - MpPreference - ExclusionExtension ".exe"
      4⤵
      PID:2496
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      Suspicious use of WriteProcessMemory
      PID:3844
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3936
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1468
    - - C:\Windows\system32\findstr.exe
        
        findstr All
        5⤵
        
        PID:3320
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4740
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2772
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\007238087f70c3dfda7a8053063018ba\Admin@CCLZUENW_en-US\System\Process.txt

Filesize
1KB

MD5
f4f28694e3594151475d8ddadce54e5e

SHA1
12452a1b8ec0af705cf858d2bd911410d48ea97d

SHA256
6190bc80c8c4e7c4bd4a61b08ab81ee0a0be431d3083c59605611787c6c77103

SHA512
24a5f663208582ab10873e7ca66a2faeb6ab58a579135050bf8055f01e3c487b3463ca3773c04e145ba63257eff6f1c76faa985f6eecb1ecf339f431663c6337

Download Submit
C:\Users\Admin\AppData\Local\007238087f70c3dfda7a8053063018ba\Admin@CCLZUENW_en-US\System\Process.txt

Filesize
2KB

MD5
1361c0bb3c438b8dbcec65e59eb9e8f1

SHA1
0d1b7b7708a445b2279fa8124dfd92dd16287b2c

SHA256
bc7c25b4ed494c9e1b69e62602c208473a78d884a5d265e59848eb1ec24dacf9

SHA512
c88bc59465f1bea4825a6a8f5958fc7b482fa8daa793c7473e1c8cec1f51f218fa3a5307b0c0b39657dcd5778237e57c7755b736a6f4ba3c939c43476a5aabb7

Download Submit
C:\Users\Admin\AppData\Local\007238087f70c3dfda7a8053063018ba\Admin@CCLZUENW_en-US\System\Process.txt

Filesize
3KB

MD5
9238e309b08225e229aeb0bfd4d7a56f

SHA1
d255c780babba338925d621e60f8f8e3d3aca417

SHA256
0502f55bd5280a9edd72a03a7d56512e4486ec7d6fdf653ddf7d67467478d341

SHA512
47802fe9a78516774fb2a92e0c151bf1816e221b2e66feee25477c1210415a72eb7b2d394336ddedf3515020862ee55263b80d8599be9a42ff75c70f34fe31b9

Download Submit
C:\Users\Admin\AppData\Local\007238087f70c3dfda7a8053063018ba\Admin@CCLZUENW_en-US\System\Process.txt

Filesize
4KB

MD5
9c9101916de1389651da9f1d98674cfb

SHA1
0fc6a792796739be4211efaae9bf2b6ab9c38172

SHA256
e166a840414f29082a353beceda2b116dae7d4a108ec83678933077bd055f88c

SHA512
512fa16c8e2bf88d6f0f2f3850637f229fdf968f49efb16ac7d01e455f75076c461c06be7243dd9fce3ec764ad2349da332152f373e7eeda3b31f75526e28b88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5e22dd1cda88782a1f52f76e748ef957

SHA1
3231826619a06fa541e2bfb21da445bd7013b5ac

SHA256
73302eedcdcfa0f9639f0d00e50c19f7ff4b7bab9df431cfee38e4b94bd4ecec

SHA512
75039c01812a7c0bef9fc2d0b4b8867c9acf2daf6a8ade8171d8edc7c0a2ff11488554d30397fee424922346394f14eef7518943db769c35e6916bee26f16498

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0f1bf4207c100442afb6f174495b7e10

SHA1
77ab64a201e4c57bbda4f0c3306bee76e9513b44

SHA256
c7787523a0e006d3ef2401f20248f6cfa69769804d402b75e04fcec463741f4d

SHA512
29bdea5620c07bae69fa2bbd9c198b7309dbd275a1251ee306e2eb28584d0c40f3d112b4c91b281fe722e711ceef0f4cdf0bd72118a54e263f6500bcf9040d94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
235a8eb126d835efb2e253459ab8b089

SHA1
293fbf68e6726a5a230c3a42624c01899e35a89f

SHA256
5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686

SHA512
a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bgc3uibc.fkv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp731D.tmp.bat

Filesize
161B

MD5
79a38854f20b649fb07a831b9bdd25dd

SHA1
3c9b6c306753d625f157b96080976d9ca7de3898

SHA256
0720194c77aeb36f253d2ff2e62aa694ac2782baca8e932e339da1c49a2fb769

SHA512
6035004e140fe056c1e26685f6c111541c9e405103ea52274ffd261fe6b29e93fe0b450fc0c4c4b8d7cd4434ebd2937b43dd7c0f431592e72b609ed59e5efcb6

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Security .exe

Filesize
63KB

MD5
97be07e4d8fa640d71aa049385d8bcc2

SHA1
cd21b0a98183abe177ce6b1a857f9b4166100b4d

SHA256
df4e19980ecdf58f0a6562bad1e4929e30e21f4b3633f9f33ad4b86a5406ee31

SHA512
23e6b9ea22b2dead07d5b6baf076afcf747e8ba02df9afbc81ca3011f91035cf6d385c5a9dd5ae63fe6f95010ab928379baf4d55cbb04c4bbdcf246689e52cd4

Download Submit
memory/2104-20-0x000001C4DDF40000-0x000001C4DDF62000-memory.dmp

Filesize
136KB

Download
memory/2640-164-0x000000001D080000-0x000000001D0B4000-memory.dmp

Filesize
208KB

Download
memory/2640-16-0x00000000013E0000-0x0000000001414000-memory.dmp

Filesize
208KB

Download
memory/2640-15-0x000000001CED0000-0x000000001CF46000-memory.dmp

Filesize
472KB

Download
memory/2640-163-0x000000001CF50000-0x000000001CF84000-memory.dmp

Filesize
208KB

Download
memory/2640-17-0x000000001B750000-0x000000001B76E000-memory.dmp

Filesize
120KB

Download
memory/2640-165-0x000000001E4F0000-0x000000001E678000-memory.dmp

Filesize
1.5MB

Download
memory/2640-170-0x000000001D140000-0x000000001D14A000-memory.dmp

Filesize
40KB

Download
memory/2640-295-0x000000001CF90000-0x000000001D00A000-memory.dmp

Filesize
488KB

Download
memory/4268-0-0x00007FFB39223000-0x00007FFB39225000-memory.dmp

Filesize
8KB

Download
memory/4268-8-0x00007FFB39220000-0x00007FFB39CE2000-memory.dmp

Filesize
10.8MB

Download
memory/4268-5-0x00007FFB39220000-0x00007FFB39CE2000-memory.dmp

Filesize
10.8MB

Download
memory/4268-2-0x00007FFB39220000-0x00007FFB39CE2000-memory.dmp

Filesize
10.8MB

Download
memory/4268-1-0x0000000000890000-0x00000000008A6000-memory.dmp

Filesize
88KB

Download