asyncrat | d527b83bd8a873e5087fc2ddb34ebaa5128ff02d418d75448a59b87cbe1f4e13

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2024 05:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AUNova.exe
Size

2.1MB
MD5

3d37da85a895fc9dc6abb3885041d9ef
SHA1

a80e01133d9a0fe9f4675bd127d46c9a283cdab3
SHA256

fc5945aa217c7a8eca8d501693d491f5efdf88c629ab5758369db1ee6967517a
SHA512

27e9f0c5da0f3fa05219d607de1816b3e4193f7a742e8ec41b9633653de4f020000ea1e97d000458694c82e9c58bd4583c495c4ec513b1a483b2c64b623ca413
SSDEEP

24576:9GzSVNqaWt+eTVXydlYmVSdh0Tzt0ReIumwxmV59C6qBJETV/rkDJSTIDS4Fuvrm:czoNK9M7Y8GUzg9IY9C2VTQwvrYZzBJ

Score

10^/10

asyncrat xmrig default evasion execution miner persistence rat upx

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

193.161.193.99:53757

Mutex

hsaurcrgqwhjimnkbht

Attributes

delay
1
install
true
install_file
Load.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0008000000023bb7-18.dat	family_asyncrat

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral2/memory/3592-100-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/3592-103-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/3592-105-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/3592-107-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/3592-106-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/3592-104-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/3592-101-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/3592-108-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/3592-109-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1544	powershell.exe
3460	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	AUNova.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Load.exe

Executes dropped EXE 4 IoCs

pid	Process
4432	AU.exe
4516	Load.exe
2092	Load.exe
4304	iyjrynjkzgum.exe

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1496	powercfg.exe
4984	powercfg.exe
2508	powercfg.exe
4052	powercfg.exe
3252	powercfg.exe
3452	powercfg.exe
1540	powercfg.exe
3840	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	iyjrynjkzgum.exe
File opened for modification	C:\Windows\system32\MRT.exe	AU.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4304 set thread context of 4040	4304	iyjrynjkzgum.exe	149
PID 4304 set thread context of 3592	4304	iyjrynjkzgum.exe	154

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3592-96-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/3592-100-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/3592-103-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/3592-105-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/3592-107-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/3592-106-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/3592-104-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/3592-95-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/3592-99-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/3592-97-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/3592-101-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/3592-98-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/3592-108-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/3592-109-0x0000000140000000-0x0000000140835000-memory.dmp	upx

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2844	sc.exe
3500	sc.exe
4820	sc.exe
3972	sc.exe
4520	sc.exe
540	sc.exe
4324	sc.exe
3284	sc.exe
4004	sc.exe
4700	sc.exe
3980	sc.exe
4828	sc.exe
4988	sc.exe
4540	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1496	timeout.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4900	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4516	Load.exe
4516	Load.exe
4516	Load.exe
4516	Load.exe
4516	Load.exe
4516	Load.exe
4516	Load.exe
4516	Load.exe
4516	Load.exe
4516	Load.exe
4516	Load.exe
4516	Load.exe
4516	Load.exe
4516	Load.exe
4516	Load.exe
4516	Load.exe
4516	Load.exe
4516	Load.exe
4516	Load.exe
4516	Load.exe
4516	Load.exe
4516	Load.exe
4516	Load.exe
2092	Load.exe
2092	Load.exe
2092	Load.exe
4432	AU.exe
1544	powershell.exe
1544	powershell.exe
4432	AU.exe
4432	AU.exe
4432	AU.exe
4432	AU.exe
4432	AU.exe
4432	AU.exe
4432	AU.exe
4432	AU.exe
4432	AU.exe
4432	AU.exe
4432	AU.exe
4432	AU.exe
4432	AU.exe
4432	AU.exe
4304	iyjrynjkzgum.exe
3460	powershell.exe
3460	powershell.exe
2092	Load.exe
4304	iyjrynjkzgum.exe
4304	iyjrynjkzgum.exe
4304	iyjrynjkzgum.exe
4304	iyjrynjkzgum.exe
4304	iyjrynjkzgum.exe
4304	iyjrynjkzgum.exe
4304	iyjrynjkzgum.exe
4304	iyjrynjkzgum.exe
4304	iyjrynjkzgum.exe
4304	iyjrynjkzgum.exe
4304	iyjrynjkzgum.exe
4304	iyjrynjkzgum.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe
3592	explorer.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	4516	Load.exe
Token: SeDebugPrivilege	2092	Load.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeShutdownPrivilege	3252	powercfg.exe
Token: SeCreatePagefilePrivilege	3252	powercfg.exe
Token: SeShutdownPrivilege	3840	powercfg.exe
Token: SeCreatePagefilePrivilege	3840	powercfg.exe
Token: SeShutdownPrivilege	3452	powercfg.exe
Token: SeCreatePagefilePrivilege	3452	powercfg.exe
Token: SeShutdownPrivilege	1540	powercfg.exe
Token: SeCreatePagefilePrivilege	1540	powercfg.exe
Token: SeDebugPrivilege	3460	powershell.exe
Token: SeShutdownPrivilege	4984	powercfg.exe
Token: SeCreatePagefilePrivilege	4984	powercfg.exe
Token: SeShutdownPrivilege	4052	powercfg.exe
Token: SeCreatePagefilePrivilege	4052	powercfg.exe
Token: SeShutdownPrivilege	1496	powercfg.exe
Token: SeCreatePagefilePrivilege	1496	powercfg.exe
Token: SeShutdownPrivilege	2508	powercfg.exe
Token: SeCreatePagefilePrivilege	2508	powercfg.exe
Token: SeLockMemoryPrivilege	3592	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2092	Load.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 4432	1520	AUNova.exe	82
PID 1520 wrote to memory of 4432	1520	AUNova.exe	82
PID 1520 wrote to memory of 4516	1520	AUNova.exe	83
PID 1520 wrote to memory of 4516	1520	AUNova.exe	83
PID 4516 wrote to memory of 4148	4516	Load.exe	84
PID 4516 wrote to memory of 4148	4516	Load.exe	84
PID 4516 wrote to memory of 2436	4516	Load.exe	85
PID 4516 wrote to memory of 2436	4516	Load.exe	85
PID 2436 wrote to memory of 1496	2436	cmd.exe	88
PID 2436 wrote to memory of 1496	2436	cmd.exe	88
PID 4148 wrote to memory of 4900	4148	cmd.exe	89
PID 4148 wrote to memory of 4900	4148	cmd.exe	89
PID 2436 wrote to memory of 2092	2436	cmd.exe	90
PID 2436 wrote to memory of 2092	2436	cmd.exe	90
PID 3156 wrote to memory of 4560	3156	cmd.exe	104
PID 3156 wrote to memory of 4560	3156	cmd.exe	104
PID 4608 wrote to memory of 4148	4608	cmd.exe	136
PID 4608 wrote to memory of 4148	4608	cmd.exe	136
PID 4304 wrote to memory of 4040	4304	iyjrynjkzgum.exe	149
PID 4304 wrote to memory of 4040	4304	iyjrynjkzgum.exe	149
PID 4304 wrote to memory of 4040	4304	iyjrynjkzgum.exe	149
PID 4304 wrote to memory of 4040	4304	iyjrynjkzgum.exe	149
PID 4304 wrote to memory of 4040	4304	iyjrynjkzgum.exe	149
PID 4304 wrote to memory of 4040	4304	iyjrynjkzgum.exe	149
PID 4304 wrote to memory of 4040	4304	iyjrynjkzgum.exe	149
PID 4304 wrote to memory of 4040	4304	iyjrynjkzgum.exe	149
PID 4304 wrote to memory of 4040	4304	iyjrynjkzgum.exe	149
PID 4304 wrote to memory of 3592	4304	iyjrynjkzgum.exe	154
PID 4304 wrote to memory of 3592	4304	iyjrynjkzgum.exe	154
PID 4304 wrote to memory of 3592	4304	iyjrynjkzgum.exe	154
PID 4304 wrote to memory of 3592	4304	iyjrynjkzgum.exe	154
PID 4304 wrote to memory of 3592	4304	iyjrynjkzgum.exe	154

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\AUNova.exe
"C:\Users\Admin\AppData\Local\Temp\AUNova.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Local\Temp\AU.exe
  "C:\Users\Admin\AppData\Local\Temp\AU.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4432
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3156
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:4560
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3980
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2844
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:540
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:3972
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:4828
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3252
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1540
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3452
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3840
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "svchost.exe"
    3⤵
    - Launches sc.exe
    PID:4988
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "svchost.exe" binpath= "C:\ProgramData\qfunhtryjkwt\iyjrynjkzgum.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:4324
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:3284
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "svchost.exe"
    3⤵
    - Launches sc.exe
    PID:4004
- C:\Users\Admin\AppData\Local\Temp\Load.exe
  "C:\Users\Admin\AppData\Local\Temp\Load.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4148
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC1AA.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1496
  - - C:\Users\Admin\AppData\Roaming\Load.exe
      "C:\Users\Admin\AppData\Roaming\Load.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2092

C:\ProgramData\qfunhtryjkwt\iyjrynjkzgum.exe
C:\ProgramData\qfunhtryjkwt\iyjrynjkzgum.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4148
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:4540
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:3500
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4700
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:4820
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:4520
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1496
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4984
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2508
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4052
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:4040
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Load.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Temp\AU.exe

Filesize
2.5MB

MD5
f81ff7313709cb4a94d7063aebe28410

SHA1
e85f7f1c21ad801d04dadaa3a52c3dae0120838a

SHA256
55b9842f81f3d83e47e72cff32f4ec903c9a06bd60ea631be3d6c463fcb457f8

SHA512
dc65acc20940e57799546a5e55ebec6ca8f57a1dc0033a4ef892a13991516e5cebe307bc73e3c98d7060eb352d043764fe5c2a6b94ea71b2d0c55d4e97930474

Download Submit
C:\Users\Admin\AppData\Local\Temp\Load.exe

Filesize
74KB

MD5
4fc5086bcb8939429aea99f7322e619b

SHA1
8d3bd7d005710a8ae0bd0143d18b437be20018d7

SHA256
e31d6dc4d6f89573321f389c5b3f12838545ff8d2f1380cfba1782d39853e9fd

SHA512
04e230f5b39356aecf4732ac9a2f4fea96e51018907e2f22c7e3f22e51188b64cdb3e202fe324f5e3500761fae43f898bf9489aa8faa34eff3566e1119a786d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_abjfwb2x.p4s.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC1AA.tmp.bat

Filesize
148B

MD5
e5023647e39acad30045d6d90139daae

SHA1
dbfa58c1aa89f34221cc51fe7e236e58b01f1299

SHA256
e16cd95ceace1a507c3f85ee403f8963ea929f78d810c029e7884b010049a8da

SHA512
a4c625522b045193d3de20893aeec20d4b07a1efecce4fac7ffa1325351e1d8e8161d5e351b8cb439f1042524170c4ad1c3d21e6796c695e53f6fc7ece4a56ec

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
memory/1520-1-0x0000000000C40000-0x0000000000E5A000-memory.dmp

Filesize
2.1MB

Download
memory/1520-3-0x00007FFCED2A0000-0x00007FFCEDD61000-memory.dmp

Filesize
10.8MB

Download
memory/1520-0-0x00007FFCED2A3000-0x00007FFCED2A5000-memory.dmp

Filesize
8KB

Download
memory/1520-26-0x00007FFCED2A0000-0x00007FFCEDD61000-memory.dmp

Filesize
10.8MB

Download
memory/1544-52-0x000001B865A90000-0x000001B865AB2000-memory.dmp

Filesize
136KB

Download
memory/3460-82-0x0000016AF3FA0000-0x0000016AF3FA8000-memory.dmp

Filesize
32KB

Download
memory/3460-80-0x0000016AF3F90000-0x0000016AF3F9A000-memory.dmp

Filesize
40KB

Download
memory/3460-84-0x0000016AF3FE0000-0x0000016AF3FEA000-memory.dmp

Filesize
40KB

Download
memory/3460-83-0x0000016AF3FD0000-0x0000016AF3FD6000-memory.dmp

Filesize
24KB

Download
memory/3460-81-0x0000016AF3FF0000-0x0000016AF400A000-memory.dmp

Filesize
104KB

Download
memory/3460-76-0x0000016AF3D60000-0x0000016AF3D7C000-memory.dmp

Filesize
112KB

Download
memory/3460-77-0x0000016AF3D80000-0x0000016AF3E35000-memory.dmp

Filesize
724KB

Download
memory/3460-78-0x0000016AF3E40000-0x0000016AF3E4A000-memory.dmp

Filesize
40KB

Download
memory/3460-79-0x0000016AF3FB0000-0x0000016AF3FCC000-memory.dmp

Filesize
112KB

Download
memory/3592-107-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3592-95-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3592-109-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3592-108-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3592-98-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3592-101-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3592-97-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3592-99-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3592-104-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3592-106-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3592-105-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3592-96-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3592-102-0x0000000001380000-0x00000000013A0000-memory.dmp

Filesize
128KB

Download
memory/3592-100-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3592-103-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4040-94-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4040-87-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4040-88-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4040-89-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4040-90-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4040-91-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4516-36-0x00007FFCED2A0000-0x00007FFCEDD61000-memory.dmp

Filesize
10.8MB

Download
memory/4516-27-0x00000000003A0000-0x00000000003B8000-memory.dmp

Filesize
96KB

Download
memory/4516-35-0x00007FFCED2A0000-0x00007FFCEDD61000-memory.dmp

Filesize
10.8MB

Download
memory/4516-30-0x00007FFCED2A0000-0x00007FFCEDD61000-memory.dmp

Filesize
10.8MB

Download
memory/4516-28-0x00007FFCED2A0000-0x00007FFCEDD61000-memory.dmp

Filesize
10.8MB

Download