asyncrat | 40fe14bb211ec9fecbe5a3a8750bf1a8fd9104264f3f76178ac4b3778e656506

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

521e56bdd27018ee0f40341bf556f7748f2eebb32a4bd016789a6b7801d010ec.exe
Size

12.7MB
MD5

2c5d99dfc22e3c7c13abd40ef29082a6
SHA1

2eae7f57966c4409cfecda611ddb41e3d1da8147
SHA256

521e56bdd27018ee0f40341bf556f7748f2eebb32a4bd016789a6b7801d010ec
SHA512

21af954bb927cd6548f20333b582c130fa3e4f6a253318b3aec66fe8628dbe50a7ecdc729935f5a215a3ac2027429d87a58fea9a0f2b93e5c477cc5a3fd037fc
SSDEEP

196608:fmQDIJzN0rl/RNfrOzDzRgIurg8dCMZqWlggN2:eQO0rl/RRSgIurgjyGgN2

Score

10^/10

asyncrat neshta discovery execution persistence rat spyware

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Neshta payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000d0000000133b8-8.dat	family_neshta
behavioral1/memory/2704-32-0x0000000000E80000-0x00000000019BE000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Executes dropped EXE 7 IoCs

pid	Process
2704	DangerousRAT.exe
2756	Windows Security Services.exe
2848	Windows Security Services Help.exe
2716	Windows Security Services Update.exe
1976	Windows Security Services.exe
1924	Windows Security Services.exe
2276	Windows Security Services.exe

Loads dropped DLL 8 IoCs

pid	Process
528	WerFault.exe
528	WerFault.exe
528	WerFault.exe
528	WerFault.exe
528	WerFault.exe
2756	Windows Security Services.exe
2848	Windows Security Services Help.exe
2716	Windows Security Services Update.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtlieujwqeasnagwindows update = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Rtlieujwqeasnagwindows update.vbs\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rtlieujwqeasnagwindows update = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Rtlieujwqeasnagwindows update.vbs\""	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1808	powershell.exe
2308	powershell.exe
1192	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2756 set thread context of 1976	2756	Windows Security Services.exe	54
PID 2848 set thread context of 1924	2848	Windows Security Services Help.exe	55
PID 2716 set thread context of 2276	2716	Windows Security Services Update.exe	56

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
528	2704	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Security Services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Security Services Help.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Security Services Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Security Services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DangerousRAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Security Services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Security Services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	help.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2276	Windows Security Services.exe
1924	Windows Security Services.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2688	powershell.exe
2644	powershell.exe
2676	powershell.exe
524	powershell.exe
2336	powershell.exe
3008	powershell.exe
2756	Windows Security Services.exe
2756	Windows Security Services.exe
2848	Windows Security Services Help.exe
2848	Windows Security Services Help.exe
2716	Windows Security Services Update.exe
2716	Windows Security Services Update.exe
2308	powershell.exe
1808	powershell.exe
1192	powershell.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	DangerousRAT.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	524	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	2716	Windows Security Services Update.exe
Token: SeDebugPrivilege	2756	Windows Security Services.exe
Token: SeDebugPrivilege	2848	Windows Security Services Help.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	1192	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1924	Windows Security Services.exe
2276	Windows Security Services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 2704	1664	521e56bdd27018ee0f40341bf556f7748f2eebb32a4bd016789a6b7801d010ec.exe	30
PID 1664 wrote to memory of 2704	1664	521e56bdd27018ee0f40341bf556f7748f2eebb32a4bd016789a6b7801d010ec.exe	30
PID 1664 wrote to memory of 2704	1664	521e56bdd27018ee0f40341bf556f7748f2eebb32a4bd016789a6b7801d010ec.exe	30
PID 1664 wrote to memory of 2704	1664	521e56bdd27018ee0f40341bf556f7748f2eebb32a4bd016789a6b7801d010ec.exe	30
PID 1664 wrote to memory of 2756	1664	521e56bdd27018ee0f40341bf556f7748f2eebb32a4bd016789a6b7801d010ec.exe	31
PID 1664 wrote to memory of 2756	1664	521e56bdd27018ee0f40341bf556f7748f2eebb32a4bd016789a6b7801d010ec.exe	31
PID 1664 wrote to memory of 2756	1664	521e56bdd27018ee0f40341bf556f7748f2eebb32a4bd016789a6b7801d010ec.exe	31
PID 1664 wrote to memory of 2756	1664	521e56bdd27018ee0f40341bf556f7748f2eebb32a4bd016789a6b7801d010ec.exe	31
PID 1664 wrote to memory of 2848	1664	521e56bdd27018ee0f40341bf556f7748f2eebb32a4bd016789a6b7801d010ec.exe	32
PID 1664 wrote to memory of 2848	1664	521e56bdd27018ee0f40341bf556f7748f2eebb32a4bd016789a6b7801d010ec.exe	32
PID 1664 wrote to memory of 2848	1664	521e56bdd27018ee0f40341bf556f7748f2eebb32a4bd016789a6b7801d010ec.exe	32
PID 1664 wrote to memory of 2848	1664	521e56bdd27018ee0f40341bf556f7748f2eebb32a4bd016789a6b7801d010ec.exe	32
PID 1664 wrote to memory of 2716	1664	521e56bdd27018ee0f40341bf556f7748f2eebb32a4bd016789a6b7801d010ec.exe	33
PID 1664 wrote to memory of 2716	1664	521e56bdd27018ee0f40341bf556f7748f2eebb32a4bd016789a6b7801d010ec.exe	33
PID 1664 wrote to memory of 2716	1664	521e56bdd27018ee0f40341bf556f7748f2eebb32a4bd016789a6b7801d010ec.exe	33
PID 1664 wrote to memory of 2716	1664	521e56bdd27018ee0f40341bf556f7748f2eebb32a4bd016789a6b7801d010ec.exe	33
PID 1664 wrote to memory of 2716	1664	521e56bdd27018ee0f40341bf556f7748f2eebb32a4bd016789a6b7801d010ec.exe	33
PID 1664 wrote to memory of 2716	1664	521e56bdd27018ee0f40341bf556f7748f2eebb32a4bd016789a6b7801d010ec.exe	33
PID 1664 wrote to memory of 2716	1664	521e56bdd27018ee0f40341bf556f7748f2eebb32a4bd016789a6b7801d010ec.exe	33
PID 2848 wrote to memory of 2644	2848	Windows Security Services Help.exe	34
PID 2848 wrote to memory of 2644	2848	Windows Security Services Help.exe	34
PID 2848 wrote to memory of 2644	2848	Windows Security Services Help.exe	34
PID 2848 wrote to memory of 2644	2848	Windows Security Services Help.exe	34
PID 2716 wrote to memory of 2676	2716	Windows Security Services Update.exe	35
PID 2716 wrote to memory of 2676	2716	Windows Security Services Update.exe	35
PID 2716 wrote to memory of 2676	2716	Windows Security Services Update.exe	35
PID 2716 wrote to memory of 2676	2716	Windows Security Services Update.exe	35
PID 2756 wrote to memory of 2688	2756	Windows Security Services.exe	36
PID 2756 wrote to memory of 2688	2756	Windows Security Services.exe	36
PID 2756 wrote to memory of 2688	2756	Windows Security Services.exe	36
PID 2756 wrote to memory of 2688	2756	Windows Security Services.exe	36
PID 2704 wrote to memory of 528	2704	DangerousRAT.exe	40
PID 2704 wrote to memory of 528	2704	DangerousRAT.exe	40
PID 2704 wrote to memory of 528	2704	DangerousRAT.exe	40
PID 2704 wrote to memory of 528	2704	DangerousRAT.exe	40
PID 2756 wrote to memory of 2336	2756	Windows Security Services.exe	41
PID 2756 wrote to memory of 2336	2756	Windows Security Services.exe	41
PID 2756 wrote to memory of 2336	2756	Windows Security Services.exe	41
PID 2756 wrote to memory of 2336	2756	Windows Security Services.exe	41
PID 2716 wrote to memory of 524	2716	Windows Security Services Update.exe	43
PID 2716 wrote to memory of 524	2716	Windows Security Services Update.exe	43
PID 2716 wrote to memory of 524	2716	Windows Security Services Update.exe	43
PID 2716 wrote to memory of 524	2716	Windows Security Services Update.exe	43
PID 2848 wrote to memory of 3008	2848	Windows Security Services Help.exe	44
PID 2848 wrote to memory of 3008	2848	Windows Security Services Help.exe	44
PID 2848 wrote to memory of 3008	2848	Windows Security Services Help.exe	44
PID 2848 wrote to memory of 3008	2848	Windows Security Services Help.exe	44
PID 2756 wrote to memory of 2220	2756	Windows Security Services.exe	48
PID 2756 wrote to memory of 2220	2756	Windows Security Services.exe	48
PID 2756 wrote to memory of 2220	2756	Windows Security Services.exe	48
PID 2756 wrote to memory of 2220	2756	Windows Security Services.exe	48
PID 2716 wrote to memory of 1572	2716	Windows Security Services Update.exe	47
PID 2716 wrote to memory of 1572	2716	Windows Security Services Update.exe	47
PID 2716 wrote to memory of 1572	2716	Windows Security Services Update.exe	47
PID 2716 wrote to memory of 1572	2716	Windows Security Services Update.exe	47
PID 2848 wrote to memory of 2580	2848	Windows Security Services Help.exe	49
PID 2848 wrote to memory of 2580	2848	Windows Security Services Help.exe	49
PID 2848 wrote to memory of 2580	2848	Windows Security Services Help.exe	49
PID 2848 wrote to memory of 2580	2848	Windows Security Services Help.exe	49
PID 2716 wrote to memory of 824	2716	Windows Security Services Update.exe	50
PID 2716 wrote to memory of 824	2716	Windows Security Services Update.exe	50
PID 2716 wrote to memory of 824	2716	Windows Security Services Update.exe	50
PID 2716 wrote to memory of 824	2716	Windows Security Services Update.exe	50
PID 2220 wrote to memory of 1808	2220	WScript.exe	52

C:\Users\Admin\AppData\Local\Temp\521e56bdd27018ee0f40341bf556f7748f2eebb32a4bd016789a6b7801d010ec.exe
"C:\Users\Admin\AppData\Local\Temp\521e56bdd27018ee0f40341bf556f7748f2eebb32a4bd016789a6b7801d010ec.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Users\Admin\AppData\Local\Temp\DangerousRAT.exe
  "C:\Users\Admin\AppData\Local\Temp\DangerousRAT.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 568
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:528
- C:\Users\Admin\AppData\Local\Temp\Windows Security Services.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows Security Services.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 3
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 15
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2336
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Czvmmniarhsx.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2220
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR\WinRAR.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1808
- - C:\Users\Admin\AppData\Local\Temp\Windows Security Services.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Security Services.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1976
- C:\Users\Admin\AppData\Local\Temp\Windows Security Services Help.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows Security Services Help.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 3
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2644
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 15
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3008
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Fiswjsizjcjynjqomep.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2580
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR\WinRAR.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2308
- - C:\Users\Admin\AppData\Local\Temp\Windows Security Services.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Security Services" Help.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of FindShellTrayWindow
    PID:1924
  - - C:\Windows\SysWOW64\help.exe
      "C:\Windows\System32\help.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1696
- C:\Users\Admin\AppData\Local\Temp\Windows Security Services Update.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows Security Services Update.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 3
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2676
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 15
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:524
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Pblsxziib.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1572
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR\WinRAR.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1192
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Pblsxziib.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:824
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Rtlieujwqeasnagwindows update.vbs"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2420
- - C:\Users\Admin\AppData\Local\Temp\Windows Security Services.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Security Services" Update.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of FindShellTrayWindow
    PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DangerousRAT.exe

Filesize
11.2MB

MD5
fb40ba1b494af4057ab259bba5f33fe6

SHA1
b872393a07d3949947a41871132b736c00c771bb

SHA256
40a82c50b9875698551a2f6dd4f71fc23b4a04eeec655a4746111279ef57d2ac

SHA512
f2feec8be6578aa273efd363ae1eba0862fc240a441fd8d1f14942fda241e34896e7b76179d7132af97f18acdf13afd4032f1874a9b20cc04120706beff9e804

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pblsxziib.vbs

Filesize
117B

MD5
a2bde8651257c1619a01520a092e3871

SHA1
0b56111496c724038b00222639658856962c7ab7

SHA256
ff5ad6b32f7c48563c4c2686cdd55b5005e729da4b932dc0e7689aa7c182e0df

SHA512
dbf9c9141c1d2df2905b8ad8169e33e7d8328dfd7f19119163601b5f7a06b380f7836fe0d276929d0fb40e29337a28f5ae6b1a8bcd115e10dac03ec3317e525b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rtlieujwqeasnagwindows update.vbs

Filesize
614KB

MD5
b14587cd6b30dea73f73d6138ea9d259

SHA1
e289a674f9b1138c1b8f392ec752c912800be0cc

SHA256
f5359df2aaa02fbfae540934f3e8f8a2ab362f7ee92dda536846afb67cea1b02

SHA512
5ac61b9eb9fbdca73e6ecfdb59e199419de0feb57f77652d8fbfebd543450fde593d375f76b5eb9a9bcd6f6c1dd01298dc1dc55f8e9844333b94ac49a3755f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security Services Help.exe

Filesize
518KB

MD5
8a20ca605ca1ce7803ffb9e2219d5206

SHA1
88f2d6daf773b62d7913acce676b72b0818c2e08

SHA256
2c8aa2ce1b5b818d7a66f24cbb30d664d5618af94248ebf9c55e713c1f97d162

SHA512
0e4abf37ed5b528712662bf03bd4afb384fba9448d51a26cce03cb68cce4e018f5b295bea7b137146814fbe891e46348034e07c36b6ad47faf18b79ad198b348

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security Services Update.exe

Filesize
489KB

MD5
7e805a295cc926c83de5913878219200

SHA1
ade9551bcaf138334054c6d16ae928bd107144a3

SHA256
afadf913b2d2a4caacc2b893c049b75766596efb4adfedbf217f618d4e4a8eb5

SHA512
18115735c618c5d44f1ebdfd2e8d455bc0f611481f3a652510abeca1b3c4829c4189aebe9d570359ab0b1b13574727ae3641db66080e43cb9a6b281bfcc6634f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security Services.exe

Filesize
468KB

MD5
b0a2c3ad7d88f8928f7e1fce28223228

SHA1
2d53080eedf02ebc1c87f33b2bf51e60071863e0

SHA256
4693e7ec8479b765e57bf6dc2b2eb11ddd3523fe4cf76a3fd3c8d449fd17953f

SHA512
b9eed874f4fb9b903fac4f9f150e6bf4e7a79e62e5174ce4082600a402626a17cac74730028fd0ace092a76b94d2197518dcd05d8d3ad52330cfabc3195ae95a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Pblsxziib.vbs

Filesize
181B

MD5
f1502081d1172131e3d33d384d1adb56

SHA1
85e44eb1e8c5b2911f8d6fcd339d4b3079b61eb4

SHA256
e39b7fbb84070e09b663dde6fe11b1048eeeede75c5eb521af28530389cae0c4

SHA512
5b61adb8ba73ef00db17183c9d569f9eb20196d05946ae082bcbf21aaca483b76ca83fb108329f73150bf43108a9c970474037861bc12a09f3d998de8d4057f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
74d428f926b5074e36fa90d95e62562b

SHA1
10cde2c025b0ba54e2db7f62361eaf997dcaf809

SHA256
789aead133fb0e02cdd5bcdde485b3d05069f533fdff1291faa9233c2f904ae8

SHA512
1491bc131ef0f27d47e818932c42739d47333fd562a94553af2d3ec76d110ec34ce5ebd5cd7feb4a28fa70551cd1310a92cebcecec6e6a4577f9799629177789

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR\WinRAR.exe

Filesize
489KB

MD5
08577ac7a59b0fd8035817e0e35a16e6

SHA1
743c6bfeae542d31075d1b07c330b0d3c1742601

SHA256
5b97980d9957d38ef4d7ae2e499c217b7598de818689fbcab5cde3eb33c9110c

SHA512
1dc32f766deafe35132922406d5d5c4ebfa18382010c4847e7236ea1c8e95e78011541c6dde04343598b12a07850e136ec8287b4363ac5586dd3c33ebcfba66e

Download Submit
memory/1664-10-0x000007FEF5F40000-0x000007FEF68DD000-memory.dmp

Filesize
9.6MB

Download
memory/1664-0-0x000007FEF61FE000-0x000007FEF61FF000-memory.dmp

Filesize
4KB

Download
memory/1664-28-0x000007FEF5F40000-0x000007FEF68DD000-memory.dmp

Filesize
9.6MB

Download
memory/1664-11-0x000007FEF5F40000-0x000007FEF68DD000-memory.dmp

Filesize
9.6MB

Download
memory/1924-121-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1924-117-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1924-120-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1924-118-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1924-115-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1924-113-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1924-109-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1924-111-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1976-103-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1976-101-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1976-107-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1976-99-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1976-97-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1976-122-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1976-123-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2276-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-130-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-133-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2704-32-0x0000000000E80000-0x00000000019BE000-memory.dmp

Filesize
11.2MB

Download
memory/2716-29-0x0000000000E70000-0x0000000000EF0000-memory.dmp

Filesize
512KB

Download
memory/2716-89-0x00000000042F0000-0x0000000004318000-memory.dmp

Filesize
160KB

Download
memory/2716-66-0x0000000000E30000-0x0000000000E74000-memory.dmp

Filesize
272KB

Download
memory/2756-80-0x0000000001FA0000-0x0000000001FC4000-memory.dmp

Filesize
144KB

Download
memory/2756-67-0x00000000008A0000-0x00000000008E4000-memory.dmp

Filesize
272KB

Download
memory/2756-30-0x00000000000C0000-0x000000000013C000-memory.dmp

Filesize
496KB

Download
memory/2848-31-0x0000000000040000-0x00000000000C8000-memory.dmp

Filesize
544KB

Download
memory/2848-88-0x0000000004300000-0x0000000004328000-memory.dmp

Filesize
160KB

Download
memory/2848-68-0x00000000021B0000-0x00000000021FA000-memory.dmp

Filesize
296KB

Download