asyncrat | cfcc492a4c21493b0a1ca52ed0a0552f3388dabb40bfa1db94061269fe3afa4f

Analysis

max time kernel
421s
max time network
424s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250218-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250218-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
28/02/2025, 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Infected.exe
Size

63KB
MD5

4283bcbe5bea251f8568efc572d431dd
SHA1

dee1cb4e0519ebcf092161ff125902aca428a4f1
SHA256

cfcc492a4c21493b0a1ca52ed0a0552f3388dabb40bfa1db94061269fe3afa4f
SHA512

2270742d31151236ff0a80b9a371a63bfe6bac8e8622a498324c9956711e31292ec61b95714a9f91f5dd9178eb1c22d43a82a7a81e8e0675a4b8bfee1e1296b4
SSDEEP

768:iqWcYBjjj78ZIC8A+X0iazcBRL5JTk1+T4KSBGHmDbD/ph0oXhpwq5vNlSuwdpqM:MZjLXdSJYUbdh9/DvKuwdpqKmY7

Score

10^/10

asyncrat stealerium default collection discovery persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

6.tcp.ngrok.io:17720

Attributes

delay
1
install
true
install_file
sigma.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
Stealerium family
stealerium

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000b000000027e4c-11.dat	family_asyncrat

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\Control Panel\International\Geo\Nation	Infected.exe
Key value queried	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\Control Panel\International\Geo\Nation	sigma.exe

Executes dropped EXE 1 IoCs

pid	Process
3188	sigma.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sigma.exe
Key opened	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sigma.exe
Key opened	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sigma.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\users\admin\desktop\desktop.ini	sigma.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
14	6.tcp.ngrok.io

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
50	icanhazip.com
52	ip-api.com
74	ip-api.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2540	ARP.EXE

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
4476	tasklist.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp	TiWorker.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2676	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 6 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4136	cmd.exe
3632	netsh.exe
2764	cmd.exe
528	netsh.exe
1196	cmd.exe
1244	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	sigma.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	sigma.exe

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
4524	timeout.exe
2772	timeout.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1216	ipconfig.exe
4716	NETSTAT.EXE
3244	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1044	systeminfo.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3216	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4972	Infected.exe
4972	Infected.exe
4972	Infected.exe
4972	Infected.exe
4972	Infected.exe
4972	Infected.exe
4972	Infected.exe
4972	Infected.exe
4972	Infected.exe
4972	Infected.exe
4972	Infected.exe
4972	Infected.exe
4972	Infected.exe
4972	Infected.exe
4972	Infected.exe
4972	Infected.exe
4972	Infected.exe
4972	Infected.exe
4972	Infected.exe
4972	Infected.exe
4972	Infected.exe
4972	Infected.exe
4972	Infected.exe
4972	Infected.exe
4972	Infected.exe
4972	Infected.exe
4972	Infected.exe
4972	Infected.exe
4972	Infected.exe
4972	Infected.exe
4972	Infected.exe
4972	Infected.exe
4972	Infected.exe
3188	sigma.exe
3188	sigma.exe
3188	sigma.exe
3188	sigma.exe
3188	sigma.exe
3188	sigma.exe
3188	sigma.exe
3188	sigma.exe
3188	sigma.exe
3188	sigma.exe
3188	sigma.exe
3188	sigma.exe
3188	sigma.exe
3188	sigma.exe
3188	sigma.exe
3188	sigma.exe
3188	sigma.exe
3188	sigma.exe
3188	sigma.exe
3188	sigma.exe
3188	sigma.exe
3188	sigma.exe
3188	sigma.exe
3188	sigma.exe
3188	sigma.exe
3188	sigma.exe
3188	sigma.exe
3188	sigma.exe
3188	sigma.exe
3188	sigma.exe
3188	sigma.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4972	Infected.exe
Token: SeDebugPrivilege	3188	sigma.exe
Token: SeSecurityPrivilege	4204	TiWorker.exe
Token: SeRestorePrivilege	4204	TiWorker.exe
Token: SeBackupPrivilege	4204	TiWorker.exe
Token: SeDebugPrivilege	4476	tasklist.exe
Token: SeDebugPrivilege	4716	NETSTAT.EXE
Token: SeSecurityPrivilege	4204	TiWorker.exe
Token: SeRestorePrivilege	4204	TiWorker.exe
Token: SeBackupPrivilege	4204	TiWorker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 4040	4972	Infected.exe	80
PID 4972 wrote to memory of 4040	4972	Infected.exe	80
PID 4972 wrote to memory of 2288	4972	Infected.exe	82
PID 4972 wrote to memory of 2288	4972	Infected.exe	82
PID 4040 wrote to memory of 3216	4040	cmd.exe	84
PID 4040 wrote to memory of 3216	4040	cmd.exe	84
PID 2288 wrote to memory of 4524	2288	cmd.exe	85
PID 2288 wrote to memory of 4524	2288	cmd.exe	85
PID 2288 wrote to memory of 3188	2288	cmd.exe	90
PID 2288 wrote to memory of 3188	2288	cmd.exe	90
PID 3188 wrote to memory of 4136	3188	sigma.exe	107
PID 3188 wrote to memory of 4136	3188	sigma.exe	107
PID 4136 wrote to memory of 2324	4136	cmd.exe	109
PID 4136 wrote to memory of 2324	4136	cmd.exe	109
PID 4136 wrote to memory of 3632	4136	cmd.exe	110
PID 4136 wrote to memory of 3632	4136	cmd.exe	110
PID 4136 wrote to memory of 224	4136	cmd.exe	111
PID 4136 wrote to memory of 224	4136	cmd.exe	111
PID 3188 wrote to memory of 4476	3188	sigma.exe	112
PID 3188 wrote to memory of 4476	3188	sigma.exe	112
PID 4476 wrote to memory of 2100	4476	cmd.exe	114
PID 4476 wrote to memory of 2100	4476	cmd.exe	114
PID 3188 wrote to memory of 2764	3188	sigma.exe	115
PID 3188 wrote to memory of 2764	3188	sigma.exe	115
PID 4476 wrote to memory of 3608	4476	cmd.exe	117
PID 4476 wrote to memory of 3608	4476	cmd.exe	117
PID 2764 wrote to memory of 3756	2764	cmd.exe	118
PID 2764 wrote to memory of 3756	2764	cmd.exe	118
PID 2764 wrote to memory of 528	2764	cmd.exe	119
PID 2764 wrote to memory of 528	2764	cmd.exe	119
PID 2764 wrote to memory of 4184	2764	cmd.exe	120
PID 2764 wrote to memory of 4184	2764	cmd.exe	120
PID 3188 wrote to memory of 3040	3188	sigma.exe	121
PID 3188 wrote to memory of 3040	3188	sigma.exe	121
PID 3040 wrote to memory of 1796	3040	cmd.exe	123
PID 3040 wrote to memory of 1796	3040	cmd.exe	123
PID 3040 wrote to memory of 2652	3040	cmd.exe	124
PID 3040 wrote to memory of 2652	3040	cmd.exe	124
PID 3188 wrote to memory of 3152	3188	sigma.exe	125
PID 3188 wrote to memory of 3152	3188	sigma.exe	125
PID 3152 wrote to memory of 1044	3152	cmd.exe	127
PID 3152 wrote to memory of 1044	3152	cmd.exe	127
PID 3152 wrote to memory of 2064	3152	cmd.exe	131
PID 3152 wrote to memory of 2064	3152	cmd.exe	131
PID 3152 wrote to memory of 4688	3152	cmd.exe	132
PID 3152 wrote to memory of 4688	3152	cmd.exe	132
PID 4688 wrote to memory of 1264	4688	net.exe	133
PID 4688 wrote to memory of 1264	4688	net.exe	133
PID 3152 wrote to memory of 3764	3152	cmd.exe	134
PID 3152 wrote to memory of 3764	3152	cmd.exe	134
PID 3764 wrote to memory of 896	3764	net.exe	135
PID 3764 wrote to memory of 896	3764	net.exe	135
PID 3152 wrote to memory of 4776	3152	cmd.exe	136
PID 3152 wrote to memory of 4776	3152	cmd.exe	136
PID 4776 wrote to memory of 2944	4776	net.exe	137
PID 4776 wrote to memory of 2944	4776	net.exe	137
PID 3152 wrote to memory of 2812	3152	cmd.exe	138
PID 3152 wrote to memory of 2812	3152	cmd.exe	138
PID 2812 wrote to memory of 1552	2812	net.exe	139
PID 2812 wrote to memory of 1552	2812	net.exe	139
PID 3152 wrote to memory of 1176	3152	cmd.exe	140
PID 3152 wrote to memory of 1176	3152	cmd.exe	140
PID 1176 wrote to memory of 1636	1176	net.exe	141
PID 1176 wrote to memory of 1636	1176	net.exe	141

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sigma.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sigma.exe

C:\Users\Admin\AppData\Local\Temp\Infected.exe
"C:\Users\Admin\AppData\Local\Temp\Infected.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "sigma" /tr '"C:\Users\Admin\AppData\Roaming\sigma.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4040
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "sigma" /tr '"C:\Users\Admin\AppData\Roaming\sigma.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB565.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4524
- - C:\Users\Admin\AppData\Roaming\sigma.exe
    "C:\Users\Admin\AppData\Roaming\sigma.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Drops desktop.ini file(s)
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - outlook_office_path
    - outlook_win_path
    PID:3188
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      Suspicious use of WriteProcessMemory
      PID:4136
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2324
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3632
    - - C:\Windows\system32\findstr.exe
        
        findstr All
        5⤵
        
        PID:224
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4476
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2100
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3608
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      Suspicious use of WriteProcessMemory
      PID:2764
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3756
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:528
    - - C:\Windows\system32\findstr.exe
        
        findstr All
        5⤵
        
        PID:4184
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3040
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1796
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2652
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3152
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:1044
    - - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        5⤵
        
        PID:2064
    - - C:\Windows\system32\net.exe
        
        net user
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4688
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        6⤵
        
        PID:1264
    - - C:\Windows\system32\net.exe
        
        net localgroup
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3764
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        6⤵
        
        PID:896
    - - C:\Windows\system32\net.exe
        
        net localgroup administrators
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4776
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        6⤵
        
        PID:2944
    - - C:\Windows\system32\net.exe
        
        net user guest
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2812
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        6⤵
        
        PID:1552
    - - C:\Windows\system32\net.exe
        
        net user administrator
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1176
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        6⤵
        
        PID:1636
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4476
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:1216
    - - C:\Windows\system32\ROUTE.EXE
        
        route print
        5⤵
        
        PID:4984
    - - C:\Windows\system32\ARP.EXE
        
        arp -a
        5⤵
        Network Service Discovery
        
        PID:2540
    - - C:\Windows\system32\NETSTAT.EXE
        
        netstat -an
        5⤵
        Gathers network information
        Suspicious use of AdjustPrivilegeToken
        
        PID:4716
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /displaydns
        5⤵
        Gathers network information
        
        PID:3244
    - - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        5⤵
        Launches sc.exe
        
        PID:2676
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1196
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2376
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1244
    - - C:\Windows\system32\findstr.exe
        
        findstr All
        5⤵
        
        PID:1112
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      4⤵
      PID:1044
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1264
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2832
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "sigma"
      4⤵
      PID:2224
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "sigma"
        5⤵
        
        PID:1272
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9F0B.tmp.bat""
      4⤵
      PID:4760
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2772

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
PID:4832

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Account Manipulation

T1098

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
28KB

MD5
151c74200fc7a662b6bb8f7cdfe09790

SHA1
93142c32399880cee26dfd34e29671857231c82d

SHA256
8e795c9808b627c1473cc7685e358ad9596151f752c542edebe433c8d15fa8c2

SHA512
eebed9805386cdd083d2182628b8e4dd3e42bb6cb35f0d9b5c588525eb2c04a7c9870a0a0a090552e3827936eabeba6e6d4fcf3143a9f709dcebae06aaeb4ef9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
28KB

MD5
6caf0855f283bc6306f075478236eb2d

SHA1
2d6f6ab18bb50c7f77b25dd2c29c60c7dabe880d

SHA256
bcfd0b25bdd2ae30bbcc30301103a074ac953a2fbbd4b1ea55b251b6541d6953

SHA512
e82775387dc5cb9a7aabb82561a1dcfe50f8e7d6ed0d91c0bec807ae6be21a004e660503948a490782a1d7b328b5f0d539ade3bda989d3107a6fe114d815f76e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3ed400-d1e84918ad678b08d2a369a3-Latest.log

Filesize
5KB

MD5
05253de15e8e488bf5be560965314d28

SHA1
e4693fa31ca5adaf2a2590adaf8389326789d804

SHA256
7b024d6d8805312699d45c3370f43b0e2728722fb43a462e70bd27c72e175651

SHA512
10c0cd6174403e42746f62d0ca53d29a3b68abf590c11e011fe0e24b3d07bdc334a53e2edbeec18280cd93d237bde18b4254e93c18c5a3ce06e652f40434e700

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9F0B.tmp.bat

Filesize
154B

MD5
e8ad402699b53a7d2ad531880e6e8b30

SHA1
f4b01bbb4c06bbccf9f5bf350f050d41b392c2f5

SHA256
b0db09143f61136c41bfaedbb841fe3a6920ac5ed7788f67438f6e30d1d7816d

SHA512
7c5f948d0e1238390f34838671b75d06d00720839ba3226351adc5c5666f68ef5c67130f5fcc0893067b71d57999f904a7c5c1bd0bf6c858716821620c253019

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB565.tmp.bat

Filesize
149B

MD5
fe2da6dc66bcc266c6ed7fbbe5de0735

SHA1
c222a7e71aa46088a900098b7d4817befda72995

SHA256
85a5af7f3f4c46a217ee627ebc58a1df9342bc2b427b44107d14739dc0047ba4

SHA512
454ab7a394f439dd3943532c2071aa64eabb508b7e022df9169da4bf6061fdb4f497b0cf4a2670d1d24d37463dc9122c27d232cac1bb43f18cbff656d2c30f0f

Download Submit
C:\Users\Admin\AppData\Local\c4ec4407eb7dd747003cc90dd0d41655\Admin@NNYNORND_en-US\Browsers\Mozilla\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\c4ec4407eb7dd747003cc90dd0d41655\Admin@NNYNORND_en-US\Directories\OneDrive.txt

Filesize
25B

MD5
966247eb3ee749e21597d73c4176bd52

SHA1
1e9e63c2872cef8f015d4b888eb9f81b00a35c79

SHA256
8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e

SHA512
bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

Download Submit
C:\Users\Admin\AppData\Local\c4ec4407eb7dd747003cc90dd0d41655\Admin@NNYNORND_en-US\Directories\Startup.txt

Filesize
24B

MD5
68c93da4981d591704cea7b71cebfb97

SHA1
fd0f8d97463cd33892cc828b4ad04e03fc014fa6

SHA256
889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483

SHA512
63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

Download Submit
C:\Users\Admin\AppData\Local\c4ec4407eb7dd747003cc90dd0d41655\Admin@NNYNORND_en-US\System\Desktop.jpg

Filesize
80KB

MD5
28415922c06d1a4c85f073d2137dfcea

SHA1
eb78b1c033648d0e963e167da45e90644f156cad

SHA256
7cdfe48b2c9a58ab52637748fb121577cb01738cadf26e9fa86de1b497546913

SHA512
94247942045a1daeb6ac381c6de9ecf469e597818231d73255a03703d1c2b9e9cdfe74c2da7a6135e42fb644a39e8262df0e9894a5ce5b8f4a3d778dcc4b0d92

Download Submit
C:\Users\Admin\AppData\Local\c4ec4407eb7dd747003cc90dd0d41655\Admin@NNYNORND_en-US\System\Process.txt

Filesize
3KB

MD5
a95f97089e9ebbba9cb2788e9faff853

SHA1
f01d0c8189f7be87e52b7319149ebf6a83eb2dd6

SHA256
0932af60909c08f6b7f896f83764732a6dedef236ea6463f7d1bce768589bcbe

SHA512
ff2a5eca3775632e4cfb7e4d284351dd82ca57b7213c88ffdc5e37303be78da0a464928c43d171cf6dfcba4d7d6a096bbd5b081597271cf9a7386a3fcc7c954c

Download Submit
C:\Users\Admin\AppData\Local\c4ec4407eb7dd747003cc90dd0d41655\Admin@NNYNORND_en-US\System\Process.txt

Filesize
4KB

MD5
1e2f0fd7677be666bfcd561ef47e537f

SHA1
d8df574394f872a018c239ca1adb90012cbe95d7

SHA256
ea26e0e1e2205077f4c6b647294dbc8ec2b19060817fb8d0808fcbf08afe6854

SHA512
54ac6deed2aaa7e8ae66ce9d13503417628e7e9d3cc253d43dc0d3e2ab81c268ff5c2401c008288c3e851ef5d3216986876e4e7508ac61d7b10ed93e40bf0227

Download Submit
C:\Users\Admin\AppData\Local\c4ec4407eb7dd747003cc90dd0d41655\Admin@NNYNORND_en-US\System\Process.txt

Filesize
747B

MD5
f9cb56bf6558f82e6de057ae18f67239

SHA1
3a61b7c03597ef29a7e82fb91315991c413d2fa4

SHA256
2f12e47e7ebad76b44d228f9b8aec7c72e328c7dacadf6d444f6b571aca5cf3b

SHA512
e1125b6c409a307fc2551968b2a129faf30ecb406772baf2420c3923ce2aee34f60bf6422e561e5d1212ee818ebaf31535a05205acb0c330637a0ef59a4c406e

Download Submit
C:\Users\Admin\AppData\Local\c4ec4407eb7dd747003cc90dd0d41655\Admin@NNYNORND_en-US\System\Process.txt

Filesize
2KB

MD5
237913e42145c47255e09afe15e0df79

SHA1
906e81eb60bb5a6a4057f0759d360a278267dc41

SHA256
9d74413b37b9117894ccc94a567017d5d8314bcd7f61dce82e5ead22df8eef31

SHA512
e983729e2de4f3c79a0849e42ff4b2c144e739bf55cb5f90ee771d1023643433b71fd20128b0bbfd1146f1a5d8932d68653539a2872c5314c811242a002073e5

Download Submit
C:\Users\Admin\AppData\Local\c4ec4407eb7dd747003cc90dd0d41655\Admin@NNYNORND_en-US\System\Process.txt

Filesize
1KB

MD5
6e7721010c2b938c1cddbb5f1f172af9

SHA1
5b401c56d24281f391efb54ef04ac9529837cc86

SHA256
a0817e700ef09ce6093b995e24dacbd8e31671491d02d3aca71b6a714ab1cc4f

SHA512
1423937e9f1395ca77e50a9a6f57ced5138e973e198d60d86fa41b3ab78387782ad5d538e0d65c64fcb460ee44f0a02fd519161675924e005ec9fa2a9a36bee1

Download Submit
C:\Users\Admin\AppData\Local\c4ec4407eb7dd747003cc90dd0d41655\Admin@NNYNORND_en-US\System\Process.txt

Filesize
2KB

MD5
fbfa796335469f62876765d9751cf99a

SHA1
ba8687626008a7169bf17648e36d6aff5b815331

SHA256
5e4ad0401dd7e81930550a4c218b04061a0bbfa534029182a13e8b7765c60383

SHA512
1cbbb9d1726ad2ce2981dd3bf8e301a6c5975a241f023300bc592ac76c6e5b77d040f09ea2da29e1b1d3d28a94712675cdf9bcd2aa3fc283668bfb5721d7a00b

Download Submit
C:\Users\Admin\AppData\Local\c4ec4407eb7dd747003cc90dd0d41655\Admin@NNYNORND_en-US\System\Process.txt

Filesize
5KB

MD5
dc96ad88a16958419a65316a03835c22

SHA1
ca041d59af2cf473116f3ad01c76c90e37cc599a

SHA256
fe1951bb4a2396dc5e408d40fb8731239dd919716db2440f8ba8b56c9685484c

SHA512
e047108cb8bf50790a20aedf94fd9e1978879c0b0407be6ef129545e2c27665a34e6cb5a36b77144ec151516de72136caa3221a9e1537375aa60f9e34c63b55c

Download Submit
C:\Users\Admin\AppData\Local\c4ec4407eb7dd747003cc90dd0d41655\Admin@NNYNORND_en-US\System\Process.txt

Filesize
4KB

MD5
078c028470e8289ee8ecfb335378f822

SHA1
fc8f7f5573e9406cc43db367fdd992297a59261f

SHA256
ac5c76818caca8cdb5b9e63e4096811923cc71b2928909da766902f7291aca90

SHA512
64379a1cbf1b1e60ed3cebf6eb5459f32f84ccf157a8b279851b11f7e4e467405572f80579a062f5be36a70c808ddda906517626fbb58b0bcf29f92bcc7fe7a1

Download Submit
C:\Users\Admin\AppData\Local\c4ec4407eb7dd747003cc90dd0d41655\Admin@NNYNORND_en-US\System\ProductKey.txt

Filesize
29B

MD5
99f6d2bb21787807753c364f127cc9d7

SHA1
8c51232f94cc6507913dd898a224e823e879b95e

SHA256
a35720e3555f25da224fe50e7b4faa53d7003190f556d121f02e4cb119d56a9c

SHA512
e0c76103b51064f0a7c215dac2e9dafa421c608880c96cc5a7bf842a764a5c3202b48d4d71716eca4d6d9b3f55117e82b9a53bae9d6db7d4dc9087971d8bdf31

Download Submit
C:\Users\Admin\AppData\Local\c4ec4407eb7dd747003cc90dd0d41655\Admin@NNYNORND_en-US\System\Windows.txt

Filesize
161B

MD5
7acc464c00f8a6a4103c817ff8f23d59

SHA1
bda8041daf7667ad8e2c2c0007bee362c3a0165a

SHA256
6b5e019c7ef0b56ada926bdee9c9e38036f3dcecded6504ceeca944a68ad4ecd

SHA512
8fbd4e23db23e36732f6800df8ebbda2353ecfb8de6bda501a11096b833e1b85210cb163b252da0c9be0d7ee7424bb337a6f98f11594ac66260026c9ee24b10b

Download Submit
C:\Users\Admin\AppData\Roaming\sigma.exe

Filesize
63KB

MD5
4283bcbe5bea251f8568efc572d431dd

SHA1
dee1cb4e0519ebcf092161ff125902aca428a4f1

SHA256
cfcc492a4c21493b0a1ca52ed0a0552f3388dabb40bfa1db94061269fe3afa4f

SHA512
2270742d31151236ff0a80b9a371a63bfe6bac8e8622a498324c9956711e31292ec61b95714a9f91f5dd9178eb1c22d43a82a7a81e8e0675a4b8bfee1e1296b4

Download Submit
memory/3188-18-0x0000000000C60000-0x0000000000C92000-memory.dmp

Filesize
200KB

Download
memory/3188-353-0x000000001FB60000-0x000000001FB90000-memory.dmp

Filesize
192KB

Download
memory/3188-24-0x000000001D4B0000-0x000000001D4BA000-memory.dmp

Filesize
40KB

Download
memory/3188-19-0x000000001F860000-0x000000001F9E8000-memory.dmp

Filesize
1.5MB

Download
memory/3188-523-0x000000001F9F0000-0x000000001FAA2000-memory.dmp

Filesize
712KB

Download
memory/3188-325-0x000000001B680000-0x000000001B6A4000-memory.dmp

Filesize
144KB

Download
memory/3188-17-0x00000000027D0000-0x00000000027EE000-memory.dmp

Filesize
120KB

Download
memory/3188-16-0x00000000027A0000-0x00000000027D4000-memory.dmp

Filesize
208KB

Download
memory/3188-352-0x000000001DEC0000-0x000000001DEDC000-memory.dmp

Filesize
112KB

Download
memory/3188-284-0x000000001B5D0000-0x000000001B64A000-memory.dmp

Filesize
488KB

Download
memory/3188-15-0x000000001D840000-0x000000001D8B6000-memory.dmp

Filesize
472KB

Download
memory/3188-355-0x000000001FDF0000-0x000000001FE5A000-memory.dmp

Filesize
424KB

Download
memory/3188-360-0x000000001B9D0000-0x000000001B9EC000-memory.dmp

Filesize
112KB

Download
memory/3188-361-0x000000001BB20000-0x000000001BB52000-memory.dmp

Filesize
200KB

Download
memory/4972-8-0x00007FFFC8C40000-0x00007FFFC9702000-memory.dmp

Filesize
10.8MB

Download
memory/4972-3-0x00007FFFC8C40000-0x00007FFFC9702000-memory.dmp

Filesize
10.8MB

Download
memory/4972-2-0x00007FFFC8C40000-0x00007FFFC9702000-memory.dmp

Filesize
10.8MB

Download
memory/4972-0-0x00007FFFC8C43000-0x00007FFFC8C45000-memory.dmp

Filesize
8KB

Download
memory/4972-1-0x0000000000580000-0x0000000000596000-memory.dmp

Filesize
88KB

Download