asyncrat | 9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fart.exe
Size

39.9MB
MD5

e1a72f7e4426c8d5e849459fa7c7e476
SHA1

e1101a053ebe7cf5dc44f4f4ea787be113cae10f
SHA256

9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece
SHA512

0a2830e2f9e1872a98996f4221f1e81a33e8927e087397e7b3342fe79333974d030d8ff4176746c9cfd78eeb382d46a88023709c2e003b6a1ba00d883ee4426f
SSDEEP

786432:sxGPxJDr/A/brZCaMhEDL/BpYE0dkt3ZL3PDnsilllqs7GIKScPml8tBW:oGJJDrYPZCaEWLxVfDnplllpzMW

Score

10^/10

asyncrat quasar xworm default office04 slave execution rat spyware trojan

Malware Config

Extracted

Family

asyncrat

Botnet

Default

finally-grande.gl.at.ply.gg:25844

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

super-nearest.gl.at.ply.gg:17835

best-bird.gl.at.ply.gg:27196

wiz.bounceme.net:6000

aes.plain

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

stop-largely.gl.at.ply.gg:27116

Mutex

$Sxr-kl1r656AGsPQksTmi8

Attributes

encryption_key
ql4fQ8TV9ZFP9vRX2myA
install_name
$sxr~Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
$77STARTUP~MSF
subdirectory
$sxr~SubDir

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

history-foo.gl.at.ply.gg:42349

Mutex

2beddbf7-c691-4058-94c7-f54389b4a581

Attributes

encryption_key
CBFC5D217E55BEBDCD3A6EFA924299F76BC328D9
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Update
subdirectory
SubDir

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Xworm Payload 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\mshta.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\svchost.exe	family_xworm
behavioral2/memory/856-44-0x0000000000F50000-0x0000000000F68000-memory.dmp	family_xworm
behavioral2/memory/2588-58-0x0000000000600000-0x000000000061A000-memory.dmp	family_xworm
behavioral2/memory/856-181-0x000000001E100000-0x000000001E10E000-memory.dmp	family_xworm

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\hat.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\Client-built.exe	family_quasar
behavioral2/memory/5060-60-0x0000000000680000-0x00000000006EC000-memory.dmp	family_quasar
behavioral2/memory/3492-64-0x0000000000F00000-0x0000000001224000-memory.dmp	family_quasar

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Async RAT payload 1 IoCs
rat

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\ONPE.exe family_asyncrat
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

1420 powershell.exe
548 powershell.exe
3012 powershell.exe
4388 powershell.exe

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ONPE.exe	family_asyncrat

pid	process
1420	powershell.exe
548	powershell.exe
3012	powershell.exe
4388	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fart.exemshta.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	fart.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 6 IoCs

Processes:

hat.exemshta.exeONPE.exesvchost.exeClient-built.exeindex.exe

pid process

5060 hat.exe
856 mshta.exe
3652 ONPE.exe
2588 svchost.exe
3492 Client-built.exe
4976 index.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

19 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3020 taskkill.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1036 schtasks.exe

pid	process
5060	hat.exe
856	mshta.exe
3652	ONPE.exe
2588	svchost.exe
3492	Client-built.exe
4976	index.exe

flow	ioc
19	ip-api.com

pid	process
3020	taskkill.exe

pid	process
1036	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exemshta.exe

pid	process
2080	powershell.exe
2080	powershell.exe
2080	powershell.exe
1420	powershell.exe
1420	powershell.exe
548	powershell.exe
548	powershell.exe
1420	powershell.exe
548	powershell.exe
2364	powershell.exe
2364	powershell.exe
2364	powershell.exe
3012	powershell.exe
3012	powershell.exe
3012	powershell.exe
4388	powershell.exe
4388	powershell.exe
4388	powershell.exe
2588	svchost.exe
2588	svchost.exe
856	mshta.exe
856	mshta.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

Processes:

Client-built.exemshta.exeONPE.exesvchost.exehat.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWMIC.exepowershell.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	3492	Client-built.exe
Token: SeDebugPrivilege	856	mshta.exe
Token: SeDebugPrivilege	3652	ONPE.exe
Token: SeDebugPrivilege	2588	svchost.exe
Token: SeDebugPrivilege	5060	hat.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeIncreaseQuotaPrivilege	1012	WMIC.exe
Token: SeSecurityPrivilege	1012	WMIC.exe
Token: SeTakeOwnershipPrivilege	1012	WMIC.exe
Token: SeLoadDriverPrivilege	1012	WMIC.exe
Token: SeSystemProfilePrivilege	1012	WMIC.exe
Token: SeSystemtimePrivilege	1012	WMIC.exe
Token: SeProfSingleProcessPrivilege	1012	WMIC.exe
Token: SeIncBasePriorityPrivilege	1012	WMIC.exe
Token: SeCreatePagefilePrivilege	1012	WMIC.exe
Token: SeBackupPrivilege	1012	WMIC.exe
Token: SeRestorePrivilege	1012	WMIC.exe
Token: SeShutdownPrivilege	1012	WMIC.exe
Token: SeDebugPrivilege	1012	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1012	WMIC.exe
Token: SeRemoteShutdownPrivilege	1012	WMIC.exe
Token: SeUndockPrivilege	1012	WMIC.exe
Token: SeManageVolumePrivilege	1012	WMIC.exe
Token: 33	1012	WMIC.exe
Token: 34	1012	WMIC.exe
Token: 35	1012	WMIC.exe
Token: 36	1012	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1012	WMIC.exe
Token: SeSecurityPrivilege	1012	WMIC.exe
Token: SeTakeOwnershipPrivilege	1012	WMIC.exe
Token: SeLoadDriverPrivilege	1012	WMIC.exe
Token: SeSystemProfilePrivilege	1012	WMIC.exe
Token: SeSystemtimePrivilege	1012	WMIC.exe
Token: SeProfSingleProcessPrivilege	1012	WMIC.exe
Token: SeIncBasePriorityPrivilege	1012	WMIC.exe
Token: SeCreatePagefilePrivilege	1012	WMIC.exe
Token: SeBackupPrivilege	1012	WMIC.exe
Token: SeRestorePrivilege	1012	WMIC.exe
Token: SeShutdownPrivilege	1012	WMIC.exe
Token: SeDebugPrivilege	1012	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1012	WMIC.exe
Token: SeRemoteShutdownPrivilege	1012	WMIC.exe
Token: SeUndockPrivilege	1012	WMIC.exe
Token: SeManageVolumePrivilege	1012	WMIC.exe
Token: 33	1012	WMIC.exe
Token: 34	1012	WMIC.exe
Token: 35	1012	WMIC.exe
Token: 36	1012	WMIC.exe
Token: SeDebugPrivilege	4388	powershell.exe
Token: SeDebugPrivilege	2588	svchost.exe
Token: SeDebugPrivilege	3020	taskkill.exe
Token: SeDebugPrivilege	856	mshta.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

Client-built.exehat.exesvchost.exemshta.exe

pid process

3492 Client-built.exe
5060 hat.exe
2588 svchost.exe
856 mshta.exe

pid	process
3492	Client-built.exe
5060	hat.exe
2588	svchost.exe
856	mshta.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

fart.exeindex.execmd.exehat.exemshta.execmd.exesvchost.exepowershell.execsc.exepowershell.exe

description	pid	process	target process
PID 3740 wrote to memory of 5060	3740	fart.exe	hat.exe
PID 3740 wrote to memory of 5060	3740	fart.exe	hat.exe
PID 3740 wrote to memory of 5060	3740	fart.exe	hat.exe
PID 3740 wrote to memory of 856	3740	fart.exe	mshta.exe
PID 3740 wrote to memory of 856	3740	fart.exe	mshta.exe
PID 3740 wrote to memory of 3652	3740	fart.exe	ONPE.exe
PID 3740 wrote to memory of 3652	3740	fart.exe	ONPE.exe
PID 3740 wrote to memory of 2588	3740	fart.exe	svchost.exe
PID 3740 wrote to memory of 2588	3740	fart.exe	svchost.exe
PID 3740 wrote to memory of 3492	3740	fart.exe	Client-built.exe
PID 3740 wrote to memory of 3492	3740	fart.exe	Client-built.exe
PID 3740 wrote to memory of 4976	3740	fart.exe	index.exe
PID 3740 wrote to memory of 4976	3740	fart.exe	index.exe
PID 4976 wrote to memory of 2792	4976	index.exe	cmd.exe
PID 4976 wrote to memory of 2792	4976	index.exe	cmd.exe
PID 4976 wrote to memory of 3236	4976	index.exe	cmd.exe
PID 4976 wrote to memory of 3236	4976	index.exe	cmd.exe
PID 2792 wrote to memory of 2080	2792	cmd.exe	powershell.exe
PID 2792 wrote to memory of 2080	2792	cmd.exe	powershell.exe
PID 5060 wrote to memory of 1036	5060	hat.exe	schtasks.exe
PID 5060 wrote to memory of 1036	5060	hat.exe	schtasks.exe
PID 5060 wrote to memory of 1036	5060	hat.exe	schtasks.exe
PID 856 wrote to memory of 1420	856	mshta.exe	powershell.exe
PID 856 wrote to memory of 1420	856	mshta.exe	powershell.exe
PID 3236 wrote to memory of 4396	3236	cmd.exe	findstr.exe
PID 3236 wrote to memory of 4396	3236	cmd.exe	findstr.exe
PID 2588 wrote to memory of 548	2588	svchost.exe	powershell.exe
PID 2588 wrote to memory of 548	2588	svchost.exe	powershell.exe
PID 2080 wrote to memory of 3844	2080	powershell.exe	csc.exe
PID 2080 wrote to memory of 3844	2080	powershell.exe	csc.exe
PID 3236 wrote to memory of 2364	3236	cmd.exe	powershell.exe
PID 3236 wrote to memory of 2364	3236	cmd.exe	powershell.exe
PID 3844 wrote to memory of 3156	3844	csc.exe	cvtres.exe
PID 3844 wrote to memory of 3156	3844	csc.exe	cvtres.exe
PID 2588 wrote to memory of 3012	2588	svchost.exe	powershell.exe
PID 2588 wrote to memory of 3012	2588	svchost.exe	powershell.exe
PID 2364 wrote to memory of 1012	2364	powershell.exe	WMIC.exe
PID 2364 wrote to memory of 1012	2364	powershell.exe	WMIC.exe
PID 856 wrote to memory of 4388	856	mshta.exe	powershell.exe
PID 856 wrote to memory of 4388	856	mshta.exe	powershell.exe
PID 2364 wrote to memory of 3020	2364	powershell.exe	taskkill.exe
PID 2364 wrote to memory of 3020	2364	powershell.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\fart.exe
"C:\Users\Admin\AppData\Local\Temp\fart.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3740

C:\Users\Admin\AppData\Local\Temp\hat.exe
"C:\Users\Admin\AppData\Local\Temp\hat.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5060

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\hat.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Users\Admin\AppData\Local\Temp\mshta.exe
"C:\Users\Admin\AppData\Local\Temp\mshta.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mshta.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mshta.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Users\Admin\AppData\Local\Temp\ONPE.exe
"C:\Users\Admin\AppData\Local\Temp\ONPE.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3492

C:\Users\Admin\AppData\Local\Temp\index.exe
"C:\Users\Admin\AppData\Local\Temp\index.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976

C:\Windows\system32\cmd.exe
cmd.exe /C call powershell -E QQBkAGQALQBUAHkAcABlACAAQAAiAAoAIAAgACAAIAB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AAoAIAAgACAAIAB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AAoAIAAgACAAIABwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzACAAewAKACAAIAAgACAAIAAgACAAIABbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApADsACgAgACAAIAAgACAAIAAgACAACgAgACAAIAAgACAAIAAgACAAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AFAAYQByAGUAbgB0ACgASQBuAHQAUAB0AHIAIABoAFcAbgBkACkAOwAKAAoAIAAgACAAIAAgACAAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0ACgAgACAAIAAgACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAYgBvAG8AbAAgAFMAaABvAHcAVwBpAG4AZABvAHcAKABJAG4AdABQAHQAcgAgAGgAVwBuAGQALAAgAGkAbgB0ACAAbgBDAG0AZABTAGgAbwB3ACkAOwAKACAAIAAgACAAIAAgACAAIAAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAASQBuAHQAUAB0AHIAIABHAGUAdABUAGEAcgBnAGUAdABXAGkAbgBkAG8AdwAoACkAIAB7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAASQBuAHQAUAB0AHIAIABjAG8AbgBzAG8AbABlAFcAaQBuAGQAbwB3ACAAPQAgAEcAZQB0AEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApADsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdABQAHQAcgAgAHAAYQByAGUAbgB0AFcAaQBuAGQAbwB3ACAAPQAgAEcAZQB0AFAAYQByAGUAbgB0ACgAYwBvAG4AcwBvAGwAZQBXAGkAbgBkAG8AdwApADsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAcABhAHIAZQBuAHQAVwBpAG4AZABvAHcAIAA9AD0AIABJAG4AdABQAHQAcgAuAFoAZQByAG8AKQAgAHsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAYwBvAG4AcwBvAGwAZQBXAGkAbgBkAG8AdwA7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAcABhAHIAZQBuAHQAVwBpAG4AZABvAHcAOwAKACAAIAAgACAAIAAgACAAIAB9AAoAIAAgACAAIAB9AAoAIgBAAAoACgBbAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzAF0AOgA6AFMAaABvAHcAVwBpAG4AZABvAHcAKABbAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzAF0AOgA6AEcAZQB0AFQAYQByAGcAZQB0AFcAaQBuAGQAbwB3ACgAKQAsACAAMAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=
3⤵
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -E QQBkAGQALQBUAHkAcABlACAAQAAiAAoAIAAgACAAIAB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AAoAIAAgACAAIAB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AAoAIAAgACAAIABwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzACAAewAKACAAIAAgACAAIAAgACAAIABbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApADsACgAgACAAIAAgACAAIAAgACAACgAgACAAIAAgACAAIAAgACAAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AFAAYQByAGUAbgB0ACgASQBuAHQAUAB0AHIAIABoAFcAbgBkACkAOwAKAAoAIAAgACAAIAAgACAAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0ACgAgACAAIAAgACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAYgBvAG8AbAAgAFMAaABvAHcAVwBpAG4AZABvAHcAKABJAG4AdABQAHQAcgAgAGgAVwBuAGQALAAgAGkAbgB0ACAAbgBDAG0AZABTAGgAbwB3ACkAOwAKACAAIAAgACAAIAAgACAAIAAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAASQBuAHQAUAB0AHIAIABHAGUAdABUAGEAcgBnAGUAdABXAGkAbgBkAG8AdwAoACkAIAB7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAASQBuAHQAUAB0AHIAIABjAG8AbgBzAG8AbABlAFcAaQBuAGQAbwB3ACAAPQAgAEcAZQB0AEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApADsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdABQAHQAcgAgAHAAYQByAGUAbgB0AFcAaQBuAGQAbwB3ACAAPQAgAEcAZQB0AFAAYQByAGUAbgB0ACgAYwBvAG4AcwBvAGwAZQBXAGkAbgBkAG8AdwApADsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAcABhAHIAZQBuAHQAVwBpAG4AZABvAHcAIAA9AD0AIABJAG4AdABQAHQAcgAuAFoAZQByAG8AKQAgAHsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAYwBvAG4AcwBvAGwAZQBXAGkAbgBkAG8AdwA7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAcABhAHIAZQBuAHQAVwBpAG4AZABvAHcAOwAKACAAIAAgACAAIAAgACAAIAB9AAoAIAAgACAAIAB9AAoAIgBAAAoACgBbAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzAF0AOgA6AFMAaABvAHcAVwBpAG4AZABvAHcAKABbAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzAF0AOgA6AEcAZQB0AFQAYQByAGcAZQB0AFcAaQBuAGQAbwB3ACgAKQAsACAAMAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ek52lcjh\ek52lcjh.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:3844

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF462.tmp" "c:\Users\Admin\AppData\Local\Temp\ek52lcjh\CSC9B89931640BC4AC996DBC133339EA62.TMP"
6⤵
PID:3156

C:\Windows\system32\cmd.exe
cmd.exe /C call C:\Users\Admin\AppData\Local\Temp\5a12aaf792a7efda8670f53fd4fa1e3d.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:3236

C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\5a12aaf792a7efda8670f53fd4fa1e3d.bat"
4⤵
PID:4396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "$d = wmic diskdrive get model;if ($d -like '*DADY HARDDISK*' -or $d -like '*QEMU HARDDISK*') { taskkill /f /im cmd.exe }"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" diskdrive get model
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Windows\system32\taskkill.exe
"C:\Windows\system32\taskkill.exe" /f /im cmd.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4404,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=1420 /prefetch:8
1⤵
PID:2016

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
04114c0529b116bf66d764ff6a5a8fe3

SHA1
0caeff17d1b2190f76c9bf539105f6c40c92bd14

SHA256
fd7092b4e273314186bad6ce71aa4cd69450736b6ec6cc746868997ff82a7532

SHA512
6a718c330824346606ef24f71cca6be0bfafc626b1d2b060b36e919ab07f3d6a345f56cace8a5a84ffbe2183976eb197842c9fd2f3e3b8c8dd307057d59d6f26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
b51dc9e5ec3c97f72b4ca9488bbb4462

SHA1
5c1e8c0b728cd124edcacefb399bbd5e25b21bd3

SHA256
976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db

SHA512
0e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a12aaf792a7efda8670f53fd4fa1e3d.bat
Filesize
3.5MB

MD5
921a93456ac88d47914c5de9c9b33f7b

SHA1
b0f3b9d4200e807a8b66cf3b89dcb67a7b2d741b

SHA256
9427b87405fa4abf26b8aa85352dc8536c4e652d36cd0674bee60ae04c92f2a0

SHA512
14f5f1f414cdc4ed6fbafb9e647006f5aaf9be10bf2ac2096f728ca4a68375781c545fbecd2a0370a2038f45a92e26df6c07d453f2a57093020284a7c9b7db81

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
Filesize
3.1MB

MD5
3609d79a3bd384ec00861417a1795932

SHA1
1e2beac3970f2debf5376ed1c4197380d1b1ab39

SHA256
ac77d98fe33fad34e96b6679e70dfb7fe1664249c8961da35b780ff0ef9feb80

SHA512
9ffcec4d0cf24bd199f26eda0b3f1528c9c46224ebc415f9adfe189af9ac2900fbfbb47dc29ba8b9f05b9e53d5b9907d3c51b753ce5d3e694029a86c624c8019

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONPE.exe
Filesize
63KB

MD5
27fe9341167a34f606b800303ac54b1f

SHA1
86373d218b48361bff1c23ddd08b6ab1803a51d0

SHA256
29e13a91af9b0ac77e9b7f8b0c26e5702f46bd8aea0333ca2d191d1d09c70c5d

SHA512
05b83ad544862d9c0cfc2651b2842624cff59fc4f454e0b1a2b36a705b558fad5a834f9f1af9f2626c57f1e3cd9aa400e290eaafb6efeb680422992bcbbde5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF462.tmp
Filesize
1KB

MD5
5a87de0d06a4c84162c56dd4739717f1

SHA1
35aa6e25ba3d0f95a4f2dd9738a02ba697ec8316

SHA256
360537f8809ed28a03b9f92bd7cafc2a53df6533e97b264b0617bdb8afcfce6f

SHA512
2c2ae3446169839195fb1ffd0c2eb8f2367b305e5ba177cbf514376d7339d8f89a635cc9459979e8d9d567ae78b0aa739eade596b8213161acf9ae10555100e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rvhlfrcm.0fj.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ek52lcjh\ek52lcjh.dll
Filesize
3KB

MD5
4ac441bfd299903211ae9a8c6ab44665

SHA1
e030d00ba342d15c5a328de9b362d375701bd486

SHA256
e50cc0226b9a91b2e0b821e9aefc9770baac80499bd9321a7666fd08c9ffad10

SHA512
14ddaefca0cadfb24f8fc8b7733e5c5f50f05cdbb5c286c46e36939fa6587340c0e5bef468f77a5183d0f445267062ed43d269e673809640a92ac5486102218a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hat.exe
Filesize
409KB

MD5
e10c7425705b2bd3214fa96247ee21c4

SHA1
7603536b97ab6337fa023bafcf80579c2b4059e6

SHA256
021068ac225e479b124c33d9e7582c17fdea6e625b165b79e2c818479d8094e4

SHA512
47e031992d637fef2a67e4fb08d2d82eaba03eba6b80f3e0e0997153acf0d979d0294276c4a10a97daa50130540230865c56191e6fe8df07dbea11c50fa48a2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\index.exe
Filesize
36.2MB

MD5
3c9563aff1bd31ffa1692db8bf1526a6

SHA1
b9038ff03f20441170548f3910f141d58f46e46f

SHA256
c722b281827e42918c087b7466b6afcf11fe715d45178556f4ecacee6edbdac2

SHA512
1ca5915b8f9b9e2fd34100cd9a4d4d5ccfd106e8c32189ddce90ec06073982871a8ae318051e9afe93247df89a5425efdea346014e2c16005e1193842b18ce0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdotFjPWL.bat
Filesize
199B

MD5
736f438d6ab71467026317bae289d3a7

SHA1
a79ce69dc81aab0b8c3d7bd639d7fea9194d8864

SHA256
d2c33ee338d18cb2e931899b5b03afd3cfaa6c744c3e2797b9fd56b60732f89b

SHA512
e95ddbf5186cf8e3b52494076804c02194d87d30d8c99bb400ce14cf2bd0c81df954af333d1dd70512ba8aaf7534910112f938da353b111d2a1b7cf94b3bbb55

Download Submit
C:\Users\Admin\AppData\Local\Temp\mshta.exe
Filesize
67KB

MD5
092a0c6fe885844fd74947e64e7fc11e

SHA1
bfe46f64f36f2e927d862a1a787f146ed2c01219

SHA256
91431cb73305e0f1fdc698907301b6d312a350f667c50765615672e7f10a68f2

SHA512
022589bd17b46e5486971a59b2517956bb15815266e48dc73a7ae9ac9efd42a348af09df471562eb71ffc94ce1e1845d54ca2994663d1496a385bce50ae595f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
79KB

MD5
1f1b23752df3d29e7604ba52aea85862

SHA1
bb582c6cf022098b171c4c9c7318a51de29ebcf4

SHA256
4834d31394f19d42e8d2a035b4c3c9c36441340ea19fe766396848ecfb608960

SHA512
d52722ab73bb15d4a5b0033351f98f168192f382677e6d474f6cf506cf8dc2f5e421e45279b6cac0f074857f41a865d87b5d989450bfcb8eba925b7baa12fbde

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ek52lcjh\CSC9B89931640BC4AC996DBC133339EA62.TMP
Filesize
652B

MD5
c99374bbc4cba6aef83cea59f012620f

SHA1
9273373ad3af71548cd444544babf793bd0f8385

SHA256
84981bbdb7f6c9d96dec6b03bb8b6d9c162c0a4205fe967a84871dd7794a3c6a

SHA512
ff43844a49ed833f2f36f13ee0611cf0906c4e2cd3265c4e44e1e5bf29857a0c482b227189489bdda2f04dde51a1fe969cbb276d7f1cc35a2d0af93dc1bcc451

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ek52lcjh\ek52lcjh.0.cs
Filesize
737B

MD5
3d57f8f44297464baafa6aeecd3bf4bc

SHA1
f370b4b9f8dba01fbcad979bd663d341f358a509

SHA256
415199eec01052503978381a4f88f4cd970b441fedce519905990ed8b629b0f1

SHA512
4052dd65ca0a505a36c7c344671afcadb8f82cc24b0d1d8362f61565f9d37782e00332908444f6a95286dd1785d074762b27c20be1f361eec67807fad052d798

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ek52lcjh\ek52lcjh.cmdline
Filesize
369B

MD5
28daf0600ca2d375c292dd4094fa5772

SHA1
78221353fd30b4213ae7e512797b26806ef942cc

SHA256
4e0f0b70a2fd0607cc71aaad525ae367d933e5308de206d13cff6fa88874cc5a

SHA512
cde9b9feecc7e5b3a05f709c37519c22266eda8811675de5f6d8469773a6981935c742cc7c8cff9703a338c13fb2f5bfad56f27abdc592c4d50c43f23864f135

Download Submit
memory/856-181-0x000000001E100000-0x000000001E10E000-memory.dmp

Filesize
56KB

Download
memory/856-44-0x0000000000F50000-0x0000000000F68000-memory.dmp

Filesize
96KB

Download
memory/856-183-0x00007FFED6213000-0x00007FFED6215000-memory.dmp

Filesize
8KB

Download
memory/856-46-0x00007FFED6213000-0x00007FFED6215000-memory.dmp

Filesize
8KB

Download
memory/2080-139-0x000002076AA40000-0x000002076AA48000-memory.dmp

Filesize
32KB

Download
memory/2080-93-0x000002076AA50000-0x000002076AA72000-memory.dmp

Filesize
136KB

Download
memory/2588-58-0x0000000000600000-0x000000000061A000-memory.dmp

Filesize
104KB

Download
memory/3492-64-0x0000000000F00000-0x0000000001224000-memory.dmp

Filesize
3.1MB

Download
memory/3492-76-0x000000001C470000-0x000000001C522000-memory.dmp

Filesize
712KB

Download
memory/3492-75-0x000000001BD90000-0x000000001BDE0000-memory.dmp

Filesize
320KB

Download
memory/3652-45-0x0000000000190000-0x00000000001A6000-memory.dmp

Filesize
88KB

Download
memory/3740-1-0x0000000000C20000-0x000000000340E000-memory.dmp

Filesize
39.9MB

Download
memory/3740-0-0x00007FFED6213000-0x00007FFED6215000-memory.dmp

Filesize
8KB

Download
memory/5060-65-0x0000000005050000-0x00000000050E2000-memory.dmp

Filesize
584KB

Download
memory/5060-80-0x0000000005630000-0x0000000005642000-memory.dmp

Filesize
72KB

Download
memory/5060-71-0x0000000002C90000-0x0000000002CF6000-memory.dmp

Filesize
408KB

Download
memory/5060-63-0x0000000005700000-0x0000000005CA4000-memory.dmp

Filesize
5.6MB

Download
memory/5060-60-0x0000000000680000-0x00000000006EC000-memory.dmp

Filesize
432KB

Download
memory/5060-135-0x00000000066D0000-0x00000000066DA000-memory.dmp

Filesize
40KB

Download
memory/5060-85-0x0000000006230000-0x000000000626C000-memory.dmp

Filesize
240KB

Download
memory/5060-182-0x0000000074AEE000-0x0000000074AEF000-memory.dmp

Filesize
4KB

Download
memory/5060-32-0x0000000074AEE000-0x0000000074AEF000-memory.dmp

Filesize
4KB

Download