Analysis
-
max time kernel
81s -
max time network
87s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
18-02-2023 13:06
Static task
static1
General
-
Target
SpyMax-4.0 Cracked+Activated_install.exe
-
Size
104.1MB
-
MD5
a7e39331cdf403335cf432aa36e3d3fc
-
SHA1
60d5af5f01457932b061ac6fff52bd9bcfc18634
-
SHA256
bb7e1270658ab3596ebf0a1a9131b6cee5e6eba57a4b7ed112a7a2993339c3ea
-
SHA512
7b4d127ee8294ab722aa4604690bd74715069d2557fc7c70740b1d26bd32a593ef8bf5dbcaee7cd5f182e2ba1577c808615b377db98b2c83d706c04df1514ea1
-
SSDEEP
1572864:pUKdbtOBERw2YgkKrqSdNHpzeW4MDL908tVzYJajtOBERw6TTLjU2j+GJWvR/uTo:rd15kk4NQ908t24JvUwIo8Skd
Malware Config
Extracted
asyncrat
1.0.7
Default
verynice.ddns.net:8848
DcRatMutex_qwqdanchun
-
delay
1
-
install
true
-
install_file
WindowsDefender.exe
-
install_folder
%Temp%
Signatures
-
Async RAT payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\New folder\Stub.exe asyncrat C:\Users\Admin\New folder\Stub.exe asyncrat behavioral1/memory/3608-138-0x0000000000720000-0x0000000000736000-memory.dmp asyncrat C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe asyncrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SpyMax-4.0 Cracked+Activated_install.exeExtraStub.exeStub.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation SpyMax-4.0 Cracked+Activated_install.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation ExtraStub.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation Stub.exe -
Executes dropped EXE 3 IoCs
Processes:
ExtraStub.exeStub.exeWindowsDefender.exepid process 4268 ExtraStub.exe 3608 Stub.exe 2148 WindowsDefender.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3172 timeout.exe -
Modifies registry class 2 IoCs
Processes:
SpyMax-4.0 Cracked+Activated_install.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ SpyMax-4.0 Cracked+Activated_install.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ SpyMax-4.0 Cracked+Activated_install.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
Stub.exepid process 3608 Stub.exe 3608 Stub.exe 3608 Stub.exe 3608 Stub.exe 3608 Stub.exe 3608 Stub.exe 3608 Stub.exe 3608 Stub.exe 3608 Stub.exe 3608 Stub.exe 3608 Stub.exe 3608 Stub.exe 3608 Stub.exe 3608 Stub.exe 3608 Stub.exe 3608 Stub.exe 3608 Stub.exe 3608 Stub.exe 3608 Stub.exe 3608 Stub.exe 3608 Stub.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
SpyMax-4.0 Cracked+Activated_install.exepid process 8 SpyMax-4.0 Cracked+Activated_install.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Stub.exedescription pid process Token: SeDebugPrivilege 3608 Stub.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
SpyMax-4.0 Cracked+Activated_install.exeExtraStub.exepid process 8 SpyMax-4.0 Cracked+Activated_install.exe 8 SpyMax-4.0 Cracked+Activated_install.exe 4268 ExtraStub.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
SpyMax-4.0 Cracked+Activated_install.exeExtraStub.exeStub.execmd.execmd.exedescription pid process target process PID 8 wrote to memory of 4268 8 SpyMax-4.0 Cracked+Activated_install.exe ExtraStub.exe PID 8 wrote to memory of 4268 8 SpyMax-4.0 Cracked+Activated_install.exe ExtraStub.exe PID 8 wrote to memory of 4268 8 SpyMax-4.0 Cracked+Activated_install.exe ExtraStub.exe PID 8 wrote to memory of 3608 8 SpyMax-4.0 Cracked+Activated_install.exe Stub.exe PID 8 wrote to memory of 3608 8 SpyMax-4.0 Cracked+Activated_install.exe Stub.exe PID 4268 wrote to memory of 4424 4268 ExtraStub.exe cmd.exe PID 4268 wrote to memory of 4424 4268 ExtraStub.exe cmd.exe PID 4268 wrote to memory of 4424 4268 ExtraStub.exe cmd.exe PID 3608 wrote to memory of 2612 3608 Stub.exe cmd.exe PID 3608 wrote to memory of 2612 3608 Stub.exe cmd.exe PID 3608 wrote to memory of 4112 3608 Stub.exe cmd.exe PID 3608 wrote to memory of 4112 3608 Stub.exe cmd.exe PID 2612 wrote to memory of 2980 2612 cmd.exe schtasks.exe PID 2612 wrote to memory of 2980 2612 cmd.exe schtasks.exe PID 4112 wrote to memory of 3172 4112 cmd.exe timeout.exe PID 4112 wrote to memory of 3172 4112 cmd.exe timeout.exe PID 4112 wrote to memory of 2148 4112 cmd.exe WindowsDefender.exe PID 4112 wrote to memory of 2148 4112 cmd.exe WindowsDefender.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SpyMax-4.0 Cracked+Activated_install.exe"C:\Users\Admin\AppData\Local\Temp\SpyMax-4.0 Cracked+Activated_install.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\New folder\ExtraStub.exe"C:\Users\Admin\New folder\ExtraStub.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "3⤵
-
C:\Users\Admin\New folder\Stub.exe"C:\Users\Admin\New folder\Stub.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsDefender" /tr '"C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "WindowsDefender" /tr '"C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"'4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7EA6.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exeFilesize
63KB
MD51a76515d1722564375589437a45eba34
SHA16046e4ecda7cbf012205878fa0ca39902e17cd52
SHA256e0556c4f5cd6277ea078e58833224683b08242f0fda81cff8055ac45e8517c8f
SHA512c34c4e7d9b73ed3a25606f454d8f327f53ba2fff4ddc3e26208d8072b16a6d46deaef99a3f511ea68d09a197b57e2166122421e1ea4f412d49d6fd03e2277081
-
C:\Users\Admin\AppData\Local\Temp\is64.batFilesize
181B
MD5225edee1d46e0a80610db26b275d72fb
SHA1ce206abf11aaf19278b72f5021cc64b1b427b7e8
SHA256e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559
SHA5124f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504
-
C:\Users\Admin\AppData\Local\Temp\is64.txtMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\tmp7EA6.tmp.batFilesize
162B
MD5f1a800c0eb511c23a6f9f99b016f153c
SHA193bb7882ffc29b039581b897a590100423c1d5ea
SHA256ff3135b658a44ae112d26afeb27be6229a0079f43b1ab83c752ec31152b96a7e
SHA512ac9e4c6756be77ab5006eb1d3992d8e5587310765a22c644581c9965cbc320892700b56aaf4fce4d0dc317e82c68857db4179bc29b944064673121a95bd3eb55
-
C:\Users\Admin\New folder\ExtraStub.exeFilesize
72KB
MD54e8656ace67c352adcc43d4236dfc890
SHA1f6a905a6a36663441cc825009e468db49df47209
SHA256926f8b84335a7642f566d2f716b3a7494416a34da4b5f408849a0a26bc344290
SHA512f9aa75a41736888f635f0ca06b79e6a0c7b85923dc89322d59aaea3fd89d356d9caacb42b2421f85a68733d0b00fe0ebc21530017d3bc6674cddae850cc8e82c
-
C:\Users\Admin\New folder\ExtraStub.exeFilesize
72KB
MD54e8656ace67c352adcc43d4236dfc890
SHA1f6a905a6a36663441cc825009e468db49df47209
SHA256926f8b84335a7642f566d2f716b3a7494416a34da4b5f408849a0a26bc344290
SHA512f9aa75a41736888f635f0ca06b79e6a0c7b85923dc89322d59aaea3fd89d356d9caacb42b2421f85a68733d0b00fe0ebc21530017d3bc6674cddae850cc8e82c
-
C:\Users\Admin\New folder\Stub.exeFilesize
63KB
MD51a76515d1722564375589437a45eba34
SHA16046e4ecda7cbf012205878fa0ca39902e17cd52
SHA256e0556c4f5cd6277ea078e58833224683b08242f0fda81cff8055ac45e8517c8f
SHA512c34c4e7d9b73ed3a25606f454d8f327f53ba2fff4ddc3e26208d8072b16a6d46deaef99a3f511ea68d09a197b57e2166122421e1ea4f412d49d6fd03e2277081
-
C:\Users\Admin\New folder\Stub.exeFilesize
63KB
MD51a76515d1722564375589437a45eba34
SHA16046e4ecda7cbf012205878fa0ca39902e17cd52
SHA256e0556c4f5cd6277ea078e58833224683b08242f0fda81cff8055ac45e8517c8f
SHA512c34c4e7d9b73ed3a25606f454d8f327f53ba2fff4ddc3e26208d8072b16a6d46deaef99a3f511ea68d09a197b57e2166122421e1ea4f412d49d6fd03e2277081
-
memory/2148-149-0x0000000000000000-mapping.dmp
-
memory/2612-143-0x0000000000000000-mapping.dmp
-
memory/2980-147-0x0000000000000000-mapping.dmp
-
memory/3172-148-0x0000000000000000-mapping.dmp
-
memory/3608-138-0x0000000000720000-0x0000000000736000-memory.dmpFilesize
88KB
-
memory/3608-142-0x00007FF82DF70000-0x00007FF82EA31000-memory.dmpFilesize
10.8MB
-
memory/3608-145-0x00007FF82DF70000-0x00007FF82EA31000-memory.dmpFilesize
10.8MB
-
memory/3608-135-0x0000000000000000-mapping.dmp
-
memory/4112-144-0x0000000000000000-mapping.dmp
-
memory/4268-132-0x0000000000000000-mapping.dmp
-
memory/4424-139-0x0000000000000000-mapping.dmp