asyncrat | f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af

Analysis

max time kernel
59s
max time network
56s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
17/04/2025, 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe
Size

3.1MB
MD5

140f3d3e62eec69edafd3ff855ef3bf7
SHA1

155e413504169fe58e418c545c48fe3254a91ae5
SHA256

f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af
SHA512

4ba11cc149a6795e2abc1f8a5f593d48437205e8360b989c6ba05033f41a9271339a541b8d763da4a95b4d5b8967cb8db5bf74e71754741fa93228f7a6b50513
SSDEEP

49152:yaBI3hJnoRWOhPqcNHwTIgsLWF8lv9Xeh5Lvqg7ESHPG+c8+SEGQEx:7BKJOW8NmDWlvgh5LvuSuNTSEGPx

Score

10^/10

asyncrat darkcomet new-pure-2025-apr-444 null discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

New-pure-2025-apr-444

klarkgabi.zapto.org:37223

Mutex

DC_MUTEX-B6EB1ZG

Attributes

InstallPath
calc.exe
gencode
EMfVQBDB7LEd
install
true
offline_keylogger
true
password
hhhhhh
persistence
false
reg_key
wincalc

rc4.plain

Extracted

Family

asyncrat

Version

0.5.6A

Botnet

null

klarkgabi.zapto.org:9907

Mutex

servnew7888

Attributes

delay
5
install
false
install_file
winplay.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\calc.exe"	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe

Executes dropped EXE 10 IoCs

pid	Process
1180	calc.exe
4724	ADOBE.EXE
5096	SVSHOST.EXE
4928	USBWIN.EXE
4244	WINMEDIA.EXE
2872	WINRARS.EXE
3356	USBWIN.EXE
5008	calc.exe
2076	winvideo.exe
1428	winvideo.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\wincalc = "C:\\Users\\Admin\\Documents\\calc.exe"	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 6028 set thread context of 3404	6028	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe	80
PID 4928 set thread context of 3356	4928	USBWIN.EXE	89
PID 2076 set thread context of 1428	2076	winvideo.exe	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ADOBE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVSHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINMEDIA.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	USBWIN.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvideo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	USBWIN.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINRARS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvideo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5304	schtasks.exe
2884	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3356	USBWIN.EXE

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe
Token: SeSecurityPrivilege	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe
Token: SeTakeOwnershipPrivilege	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe
Token: SeLoadDriverPrivilege	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe
Token: SeSystemProfilePrivilege	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe
Token: SeSystemtimePrivilege	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe
Token: SeProfSingleProcessPrivilege	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe
Token: SeIncBasePriorityPrivilege	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe
Token: SeCreatePagefilePrivilege	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe
Token: SeBackupPrivilege	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe
Token: SeRestorePrivilege	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe
Token: SeShutdownPrivilege	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe
Token: SeDebugPrivilege	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe
Token: SeSystemEnvironmentPrivilege	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe
Token: SeChangeNotifyPrivilege	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe
Token: SeRemoteShutdownPrivilege	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe
Token: SeUndockPrivilege	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe
Token: SeManageVolumePrivilege	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe
Token: SeImpersonatePrivilege	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe
Token: SeCreateGlobalPrivilege	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe
Token: 33	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe
Token: 34	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe
Token: 35	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe
Token: 36	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe
Token: SeDebugPrivilege	3356	USBWIN.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6028 wrote to memory of 3404	6028	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe	80
PID 6028 wrote to memory of 3404	6028	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe	80
PID 6028 wrote to memory of 3404	6028	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe	80
PID 6028 wrote to memory of 3404	6028	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe	80
PID 6028 wrote to memory of 3404	6028	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe	80
PID 6028 wrote to memory of 3404	6028	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe	80
PID 6028 wrote to memory of 3404	6028	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe	80
PID 6028 wrote to memory of 3404	6028	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe	80
PID 6028 wrote to memory of 3404	6028	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe	80
PID 6028 wrote to memory of 3404	6028	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe	80
PID 6028 wrote to memory of 3404	6028	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe	80
PID 6028 wrote to memory of 3404	6028	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe	80
PID 5460 wrote to memory of 1180	5460	cmd.exe	83
PID 5460 wrote to memory of 1180	5460	cmd.exe	83
PID 5460 wrote to memory of 1180	5460	cmd.exe	83
PID 3404 wrote to memory of 4724	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe	84
PID 3404 wrote to memory of 4724	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe	84
PID 3404 wrote to memory of 4724	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe	84
PID 3404 wrote to memory of 5096	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe	85
PID 3404 wrote to memory of 5096	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe	85
PID 3404 wrote to memory of 5096	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe	85
PID 3404 wrote to memory of 4928	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe	86
PID 3404 wrote to memory of 4928	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe	86
PID 3404 wrote to memory of 4928	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe	86
PID 3404 wrote to memory of 4244	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe	87
PID 3404 wrote to memory of 4244	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe	87
PID 3404 wrote to memory of 4244	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe	87
PID 3404 wrote to memory of 2872	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe	88
PID 3404 wrote to memory of 2872	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe	88
PID 3404 wrote to memory of 2872	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe	88
PID 4928 wrote to memory of 3356	4928	USBWIN.EXE	89
PID 4928 wrote to memory of 3356	4928	USBWIN.EXE	89
PID 4928 wrote to memory of 3356	4928	USBWIN.EXE	89
PID 4928 wrote to memory of 3356	4928	USBWIN.EXE	89
PID 4928 wrote to memory of 3356	4928	USBWIN.EXE	89
PID 4928 wrote to memory of 3356	4928	USBWIN.EXE	89
PID 4928 wrote to memory of 3356	4928	USBWIN.EXE	89
PID 4928 wrote to memory of 3356	4928	USBWIN.EXE	89
PID 3404 wrote to memory of 5008	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe	90
PID 3404 wrote to memory of 5008	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe	90
PID 3404 wrote to memory of 5008	3404	f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe	90
PID 4928 wrote to memory of 2868	4928	USBWIN.EXE	91
PID 4928 wrote to memory of 2868	4928	USBWIN.EXE	91
PID 4928 wrote to memory of 2868	4928	USBWIN.EXE	91
PID 4928 wrote to memory of 2612	4928	USBWIN.EXE	93
PID 4928 wrote to memory of 2612	4928	USBWIN.EXE	93
PID 4928 wrote to memory of 2612	4928	USBWIN.EXE	93
PID 2612 wrote to memory of 5304	2612	cmd.exe	95
PID 2612 wrote to memory of 5304	2612	cmd.exe	95
PID 2612 wrote to memory of 5304	2612	cmd.exe	95
PID 4928 wrote to memory of 5152	4928	USBWIN.EXE	96
PID 4928 wrote to memory of 5152	4928	USBWIN.EXE	96
PID 4928 wrote to memory of 5152	4928	USBWIN.EXE	96
PID 2076 wrote to memory of 1428	2076	winvideo.exe	99
PID 2076 wrote to memory of 1428	2076	winvideo.exe	99
PID 2076 wrote to memory of 1428	2076	winvideo.exe	99
PID 2076 wrote to memory of 1428	2076	winvideo.exe	99
PID 2076 wrote to memory of 1428	2076	winvideo.exe	99
PID 2076 wrote to memory of 1428	2076	winvideo.exe	99
PID 2076 wrote to memory of 1428	2076	winvideo.exe	99
PID 2076 wrote to memory of 1428	2076	winvideo.exe	99
PID 2076 wrote to memory of 1456	2076	winvideo.exe	100
PID 2076 wrote to memory of 1456	2076	winvideo.exe	100
PID 2076 wrote to memory of 1456	2076	winvideo.exe	100

C:\Users\Admin\AppData\Local\Temp\f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe
"C:\Users\Admin\AppData\Local\Temp\f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6028
- C:\Users\Admin\AppData\Local\Temp\f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe
  "C:\Users\Admin\AppData\Local\Temp\f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Drops file in Drivers directory
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3404
- - C:\Users\Admin\AppData\Local\Temp\ADOBE.EXE
    "C:\Users\Admin\AppData\Local\Temp\ADOBE.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4724
- - C:\Users\Admin\AppData\Local\Temp\SVSHOST.EXE
    "C:\Users\Admin\AppData\Local\Temp\SVSHOST.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5096
- - C:\Users\Admin\AppData\Local\Temp\USBWIN.EXE
    "C:\Users\Admin\AppData\Local\Temp\USBWIN.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4928
  - - C:\Users\Admin\AppData\Local\Temp\USBWIN.EXE
      "C:\Users\Admin\AppData\Local\Temp\USBWIN.EXE"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3356
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\winvideo"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2868
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\winvideo\winvideo.exe'" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\winvideo\winvideo.exe'" /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5304
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\USBWIN.EXE" "C:\Users\Admin\AppData\Roaming\winvideo\winvideo.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5152
- - C:\Users\Admin\AppData\Local\Temp\WINMEDIA.EXE
    "C:\Users\Admin\AppData\Local\Temp\WINMEDIA.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4244
- - C:\Users\Admin\AppData\Local\Temp\WINRARS.EXE
    "C:\Users\Admin\AppData\Local\Temp\WINRARS.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2872
- - C:\Users\Admin\Documents\calc.exe
    "C:\Users\Admin\Documents\calc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\calc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5460
- C:\Users\Admin\Documents\calc.exe
  C:\Users\Admin\Documents\calc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1180

C:\Users\Admin\AppData\Roaming\winvideo\winvideo.exe
C:\Users\Admin\AppData\Roaming\winvideo\winvideo.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Roaming\winvideo\winvideo.exe
  "C:\Users\Admin\AppData\Roaming\winvideo\winvideo.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1428
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\winvideo"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1456
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\winvideo\winvideo.exe'" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3196
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\winvideo\winvideo.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2884
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\winvideo\winvideo.exe" "C:\Users\Admin\AppData\Roaming\winvideo\winvideo.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2244

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ADOBE.EXE

Filesize
821KB

MD5
79bf855a30a5bb0f55c2c803038d9b8d

SHA1
731272a40c3199a34031170ca13036afde608304

SHA256
daced69a19767b62b51e3ea38675cee3b88f11fa93cb05789c5befadd6c1eca2

SHA512
fbcc7564deb15db5aa4951102ee1cf4a14f1b1d9d466cda01beb946ba70eb23026ba38246c0b1a7019cd35de615f6eb0347734a490b21da2e057c05be290c86e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SVSHOST.EXE

Filesize
871KB

MD5
64b59f3f2e44d0a20353fddb06c206d7

SHA1
f16200245c779926d87b851985636df345ebbefc

SHA256
93aa34b1f1662637c3025615a9b045c4031e61967bd6d73c2ad8c3191af7b31e

SHA512
9ef5842c20d8b6f052639f349d3b4f23013d10047cd6bc55a5fb2c832f580688f046812945693b0aab1c074a43ac63b72bce7cfb63fd23dfd807996ffde5430d

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBWIN.EXE

Filesize
181KB

MD5
4f81e3de4c14c7c7eec40f2831459c80

SHA1
a9b6d7261f14265760b9533a93d113d52d3706e6

SHA256
c9d9caae4f9b8fc0b6bf5472ee465ccaa76248482da37fc1c9c267504989e60c

SHA512
7e7250884a5e58a147a991b04a8d6afba230d2768e18549b940e676ba4b8fc1ed0d080ac396e6cf7ab1b71ad53e9f9493643fea81ac7163ed5d41348f128f8db

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINMEDIA.EXE

Filesize
179KB

MD5
df5683a234caa91931a1bf26c1cfe833

SHA1
202d965b73dd19e8396e9eac9b31bbad014d2062

SHA256
62f6acd131549adce71938b1aa1944dfd7f61b32797dc25ad1410b494ae1ce5a

SHA512
b6d709b9c99dc23b04a1544f1a8c707f49a883ca172f1b35c97384bb2206c2ce8a5cc1c07abbc2b4979be121ebdcc3c084be5e76840ec4417a45c573b1055ce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINRARS.EXE

Filesize
357KB

MD5
d77f8d9f12bf80a553a54b095ec73052

SHA1
84348fa872bae8507a253498c006101bc4ac8cec

SHA256
2caa6dbe19b7e46074ec0e9a15cd377a0d3ad022b144d046edbeb3891df83ce2

SHA512
feba6cdb2073b8ded2d0c9c60665be39bca81dd1c8723d06d4e9abdc4584081d33f020298055e15b7715ee12a9eda449fecbe41171c2526efb271d31c7d92b4a

Download Submit
C:\Users\Admin\Documents\calc.exe

Filesize
3.1MB

MD5
140f3d3e62eec69edafd3ff855ef3bf7

SHA1
155e413504169fe58e418c545c48fe3254a91ae5

SHA256
f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af

SHA512
4ba11cc149a6795e2abc1f8a5f593d48437205e8360b989c6ba05033f41a9271339a541b8d763da4a95b4d5b8967cb8db5bf74e71754741fa93228f7a6b50513

Download Submit
memory/1180-96-0x00000000746D0000-0x0000000074E81000-memory.dmp

Filesize
7.7MB

Download
memory/1180-95-0x00000000746DE000-0x00000000746DF000-memory.dmp

Filesize
4KB

Download
memory/1180-30-0x00000000746D0000-0x0000000074E81000-memory.dmp

Filesize
7.7MB

Download
memory/1180-29-0x00000000746DE000-0x00000000746DF000-memory.dmp

Filesize
4KB

Download
memory/2872-82-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/3356-85-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3356-94-0x0000000005970000-0x0000000005A0C000-memory.dmp

Filesize
624KB

Download
memory/3404-13-0x00000000032B0000-0x00000000032B1000-memory.dmp

Filesize
4KB

Download
memory/3404-12-0x0000000000400000-0x0000000000714000-memory.dmp

Filesize
3.1MB

Download
memory/3404-10-0x0000000000400000-0x0000000000714000-memory.dmp

Filesize
3.1MB

Download
memory/3404-9-0x0000000000400000-0x0000000000714000-memory.dmp

Filesize
3.1MB

Download
memory/3404-7-0x0000000000400000-0x0000000000714000-memory.dmp

Filesize
3.1MB

Download
memory/3404-88-0x0000000000400000-0x0000000000714000-memory.dmp

Filesize
3.1MB

Download
memory/4244-78-0x0000000000FB0000-0x0000000000FE2000-memory.dmp

Filesize
200KB

Download
memory/4724-37-0x0000000000B50000-0x0000000000C22000-memory.dmp

Filesize
840KB

Download
memory/4928-86-0x00000000059A0000-0x0000000005A32000-memory.dmp

Filesize
584KB

Download
memory/4928-66-0x00000000003F0000-0x0000000000422000-memory.dmp

Filesize
200KB

Download
memory/5096-54-0x0000000000C50000-0x0000000000D30000-memory.dmp

Filesize
896KB

Download
memory/6028-5-0x00000000751BE000-0x00000000751BF000-memory.dmp

Filesize
4KB

Download
memory/6028-4-0x00000000751B0000-0x0000000075961000-memory.dmp

Filesize
7.7MB

Download
memory/6028-3-0x0000000004DC0000-0x0000000004E26000-memory.dmp

Filesize
408KB

Download
memory/6028-0-0x00000000751BE000-0x00000000751BF000-memory.dmp

Filesize
4KB

Download
memory/6028-6-0x00000000751B0000-0x0000000075961000-memory.dmp

Filesize
7.7MB

Download
memory/6028-11-0x00000000751B0000-0x0000000075961000-memory.dmp

Filesize
7.7MB

Download
memory/6028-2-0x00000000052A0000-0x0000000005846000-memory.dmp

Filesize
5.6MB

Download
memory/6028-1-0x0000000000020000-0x0000000000336000-memory.dmp

Filesize
3.1MB

Download