asyncrat | 6e037135b5dc8ce75267fcc8215a48041ef8ffa1409dad74799d1295b66f7321

Analysis

max time kernel
145s
max time network
146s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
13-12-2024 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

crackers.rar
Size

25KB
MD5

aa7aeddc68534067f04cba538ff43423
SHA1

36afe36fc4a16f8fe5a90971a5cd356b54b2e33b
SHA256

6e037135b5dc8ce75267fcc8215a48041ef8ffa1409dad74799d1295b66f7321
SHA512

e781bfd76a0e980c4502c0d8609c5d01494098bd9c80fce99202fdd35947c43885efaa311ab129109283830bf43656d55e60b14488b6a1b769899aba46b5d211
SSDEEP

768:Qndpw8zHhJuqGMIJaPIrVszW18ZYm/UWGcqZSnh:g/w8zHLnDIMIrf8emYrSh

Score

10^/10

asyncrat default discovery persistence privilege_escalation rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

127.0.0.1:1194

193.161.193.99:1194

Mutex

PX50IrcSQ5Gg

Attributes

delay
3
install
true
install_file
crackers.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x002600000004624b-4.dat	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	crackers.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 5 IoCs

pid	Process
5364	crackers.exe
5292	crackers.exe
3760	crackers.exe
4704	crackers.exe
4328	crackers.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_f6ccd5b2c8226c4a\mshdc.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_72ab89a5cc3218be\machine.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\machine.inf_amd64_72ab89a5cc3218be\machine.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\input.inf_amd64_71e43a6eaa912e56\input.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\mshdc.inf_amd64_f6ccd5b2c8226c4a\mshdc.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_230f9025c8623e5d\usbport.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\usbport.inf_amd64_230f9025c8623e5d\usbport.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_71e43a6eaa912e56\input.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_e89200d3ede2154e\hdaudbus.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\hdaudbus.inf_amd64_e89200d3ede2154e\hdaudbus.PNF	dxdiag.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crackers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crackers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crackers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crackers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crackers.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dxdiag.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
6128	timeout.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1798060429-1844192857-3165087720-1000\{78130D0F-C60E-4D05-B032-81EEF633797D}	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1798060429-1844192857-3165087720-1000\{601BC33A-DD95-4C6D-97B1-FEDD7132A458}	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\system32\\dxdiagn.dll"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer	dxdiag.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5296	schtasks.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
5364	crackers.exe
5364	crackers.exe
5364	crackers.exe
5364	crackers.exe
5364	crackers.exe
5364	crackers.exe
5364	crackers.exe
5364	crackers.exe
5364	crackers.exe
5364	crackers.exe
5364	crackers.exe
5364	crackers.exe
5364	crackers.exe
5364	crackers.exe
5364	crackers.exe
5364	crackers.exe
5364	crackers.exe
5364	crackers.exe
5364	crackers.exe
4412	7zFM.exe
4412	7zFM.exe
4412	7zFM.exe
4412	7zFM.exe
4412	7zFM.exe
4412	7zFM.exe
4412	7zFM.exe
4412	7zFM.exe
4412	7zFM.exe
4412	7zFM.exe
4412	7zFM.exe
4412	7zFM.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
5768	dxdiag.exe
5768	dxdiag.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4412	7zFM.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeRestorePrivilege	4412	7zFM.exe
Token: 35	4412	7zFM.exe
Token: SeSecurityPrivilege	4412	7zFM.exe
Token: SeDebugPrivilege	5364	crackers.exe
Token: SeSecurityPrivilege	4412	7zFM.exe
Token: SeDebugPrivilege	5292	crackers.exe
Token: SeDebugPrivilege	1176	taskmgr.exe
Token: SeSystemProfilePrivilege	1176	taskmgr.exe
Token: SeCreateGlobalPrivilege	1176	taskmgr.exe
Token: 33	1176	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1176	taskmgr.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
4412	7zFM.exe
4412	7zFM.exe
4412	7zFM.exe
4412	7zFM.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1216	SecHealthUI.exe
5768	dxdiag.exe
5768	dxdiag.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 5364	4412	7zFM.exe	84
PID 4412 wrote to memory of 5364	4412	7zFM.exe	84
PID 4412 wrote to memory of 5364	4412	7zFM.exe	84
PID 5364 wrote to memory of 4372	5364	crackers.exe	86
PID 5364 wrote to memory of 4372	5364	crackers.exe	86
PID 5364 wrote to memory of 4372	5364	crackers.exe	86
PID 5364 wrote to memory of 3964	5364	crackers.exe	88
PID 5364 wrote to memory of 3964	5364	crackers.exe	88
PID 5364 wrote to memory of 3964	5364	crackers.exe	88
PID 3964 wrote to memory of 6128	3964	cmd.exe	90
PID 3964 wrote to memory of 6128	3964	cmd.exe	90
PID 3964 wrote to memory of 6128	3964	cmd.exe	90
PID 4372 wrote to memory of 5296	4372	cmd.exe	91
PID 4372 wrote to memory of 5296	4372	cmd.exe	91
PID 4372 wrote to memory of 5296	4372	cmd.exe	91
PID 3964 wrote to memory of 5292	3964	cmd.exe	93
PID 3964 wrote to memory of 5292	3964	cmd.exe	93
PID 3964 wrote to memory of 5292	3964	cmd.exe	93

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\crackers.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Users\Admin\AppData\Local\Temp\7zOC3148CC7\crackers.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC3148CC7\crackers.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5364
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "crackers" /tr '"C:\Users\Admin\AppData\Roaming\crackers.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4372
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "crackers" /tr '"C:\Users\Admin\AppData\Roaming\crackers.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:5296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAF89.tmp.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3964
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:6128
  - - C:\Users\Admin\AppData\Roaming\crackers.exe
      "C:\Users\Admin\AppData\Roaming\crackers.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5292

C:\Users\Admin\Desktop\crackers.exe
"C:\Users\Admin\Desktop\crackers.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3760

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1176

C:\Users\Admin\Desktop\crackers.exe
"C:\Users\Admin\Desktop\crackers.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4704

C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1216

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:4184

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:752

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:6080

C:\Users\Admin\Desktop\crackers.exe
"C:\Users\Admin\Desktop\crackers.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4328

C:\Windows\system32\dxdiag.exe
"C:\Windows\system32\dxdiag.exe"
1⤵
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\crackers.exe.log

Filesize
522B

MD5
00da7f1e650af65ee27f2c786561d83b

SHA1
071e8622f304964d2350202c1ca9db34d71d29e9

SHA256
706d2dc5cd3f617834859782684b201a324ed5e8edc9bdea38e886341c931776

SHA512
ae22913cafaf59eee00c2775a9c29d110e11b8f9732c9c2ad69acc30f95d59d983ff269d31a5747aff8971bcde31f83fb40dc6a3656ab3d272f35c194bb90b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC3148CC7\crackers.exe

Filesize
47KB

MD5
c293f3aa9309bdbbea7ce7b82c555e8e

SHA1
69d4edbf51feb07fa5a87eae76418b40de34f72c

SHA256
d61d9974e73631319c87de439a9a018488795e1d31f12a29092a1a90113f0fb0

SHA512
d77b24dafe769fd9ba7bf52a6847ccb217c7e4d3af6adf1837cfcfb151c02acc02cc4ae046e4498f39209c083c188b41ae3d57cda427afbd0ece1d446c11396d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAF89.tmp.bat

Filesize
152B

MD5
c9555b912bf1ff535d3bb14146b80355

SHA1
d49671e05ded70ab13147edc5e6596aa66b35a7b

SHA256
c1dac08c17e99de525e89c2dfbed1373394d0cd840327bcbdd475299f1886d69

SHA512
4bf5ca80737bec71ed20cdd053b4876f4883c32e1fe7abc4ea733ba763f0c04fc44d31458d2a2b584853fa4a9406b32f124c183062c8d5df725384b9cdb16122

Download Submit
memory/1176-44-0x0000022DCD1B0000-0x0000022DCD1B1000-memory.dmp

Filesize
4KB

Download
memory/1176-42-0x0000022DCD1B0000-0x0000022DCD1B1000-memory.dmp

Filesize
4KB

Download
memory/1176-39-0x0000022DCD1B0000-0x0000022DCD1B1000-memory.dmp

Filesize
4KB

Download
memory/1176-40-0x0000022DCD1B0000-0x0000022DCD1B1000-memory.dmp

Filesize
4KB

Download
memory/1176-41-0x0000022DCD1B0000-0x0000022DCD1B1000-memory.dmp

Filesize
4KB

Download
memory/1176-34-0x0000022DCD1B0000-0x0000022DCD1B1000-memory.dmp

Filesize
4KB

Download
memory/1176-33-0x0000022DCD1B0000-0x0000022DCD1B1000-memory.dmp

Filesize
4KB

Download
memory/1176-35-0x0000022DCD1B0000-0x0000022DCD1B1000-memory.dmp

Filesize
4KB

Download
memory/1176-45-0x0000022DCD1B0000-0x0000022DCD1B1000-memory.dmp

Filesize
4KB

Download
memory/1176-43-0x0000022DCD1B0000-0x0000022DCD1B1000-memory.dmp

Filesize
4KB

Download
memory/5364-15-0x000000007509E000-0x000000007509F000-memory.dmp

Filesize
4KB

Download
memory/5364-18-0x0000000005110000-0x00000000051AC000-memory.dmp

Filesize
624KB

Download
memory/5364-16-0x00000000006C0000-0x00000000006D2000-memory.dmp

Filesize
72KB

Download
memory/5364-17-0x0000000075090000-0x0000000075841000-memory.dmp

Filesize
7.7MB

Download
memory/5364-23-0x0000000075090000-0x0000000075841000-memory.dmp

Filesize
7.7MB

Download
memory/5768-49-0x00000198C8390000-0x00000198C8391000-memory.dmp

Filesize
4KB

Download
memory/5768-50-0x00000198C8390000-0x00000198C8391000-memory.dmp

Filesize
4KB

Download
memory/5768-48-0x00000198C8390000-0x00000198C8391000-memory.dmp

Filesize
4KB

Download
memory/5768-59-0x00000198C8390000-0x00000198C8391000-memory.dmp

Filesize
4KB

Download
memory/5768-58-0x00000198C8390000-0x00000198C8391000-memory.dmp

Filesize
4KB

Download
memory/5768-57-0x00000198C8390000-0x00000198C8391000-memory.dmp

Filesize
4KB

Download
memory/5768-56-0x00000198C8390000-0x00000198C8391000-memory.dmp

Filesize
4KB

Download
memory/5768-55-0x00000198C8390000-0x00000198C8391000-memory.dmp

Filesize
4KB

Download
memory/5768-54-0x00000198C8390000-0x00000198C8391000-memory.dmp

Filesize
4KB

Download