Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
08-03-2023 07:58
General
-
Target
tmp.exe
-
Size
597KB
-
MD5
adf266d3870069d9c6ec30091d347f68
-
SHA1
dc27468702ccd3139f773c72ba64d38d8a50ff07
-
SHA256
dd44612801b32da18885221e9211c565eecceeef71217b5b9858b839d6f8dc0d
-
SHA512
cf57167932dde49b92cfcb72ee84dca1df51fe66d2ca2d832488bb4d410fd1f5ed9e0e8755a8fd5de41bb96f0e40fce35fa6c678ff4c794b7077026441ba26cd
-
SSDEEP
6144:xSyBmqk0G78MNNhrXN8d9sx40RZGI8i6e6jherVXLw1Ig:xSycICXhrMWx/4Iae6VkXUWg
Malware Config
Extracted
asyncrat
0.5.7B
Aakn1515knAakn1515kn!
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
smokeloader
2022
http://glueberry-og.cc/
http://glueberry-og.co/
http://glueberry-og.to/
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Detect PureCrypter injector 28 IoCs
-
Detects Smokeloader packer 4 IoCs
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
-
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Async RAT payload 1 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\pcvvgq.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\pcvvgq.exe"'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pcvvgq.exe"C:\Users\Admin\AppData\Local\Temp\pcvvgq.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe6⤵
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\wstfjq.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\wstfjq.exe"'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wstfjq.exe"C:\Users\Admin\AppData\Local\Temp\wstfjq.exe"5⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe6⤵
- Suspicious behavior: AddClipboardFormatListener
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\nfadyz.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\nfadyz.exe"'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nfadyz.exe"C:\Users\Admin\AppData\Local\Temp\nfadyz.exe"5⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe6⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\mwcfht.exe"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\mwcfht.exe"'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mwcfht.exe"C:\Users\Admin\AppData\Local\Temp\mwcfht.exe"5⤵
- Executes dropped EXE
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55315900105942deb090a358a315b06fe
SHA122fe5d2e1617c31afbafb91c117508d41ef0ce44
SHA256e8bd7d8d1d0437c71aceb032f9fb08dd1147f41c048540254971cc60e95d6cd7
SHA51277e8d15b8c34a1cb01dbee7147987e2cc25c747e0f80d254714a93937a6d2fe08cb5a772cf85ceb8fec56415bfa853234a003173718c4229ba8cfcf2ce6335a6
-
Filesize
15KB
MD562b2234289304512f0c6bcd234bd0bb0
SHA1d6e8267c36e9eb3841aef3f3b4b4b19c3092d906
SHA256eb9eb7cfe19250ce356886b498a70ec3c3507eb7da2eb3ea7829c01c8acaeee0
SHA51212d0b4e3c9560725c6d6378ee26f890081d8530bcf638ed459fb8dd67510787fd67c27431d8d209981df3385ec2b94397a7ddb5ae40900d445e1c004f4bd1f9f
-
Filesize
15KB
MD5bfa62a22e16b28d0d73b91eb7371a533
SHA1c0118a91530ed3aebb2cde7d5e84fcdc9f9ac0dc
SHA25606aedec7d8465a4bd5e96e9b52f175351b6ea15a6278004f51b52e4d76773f7b
SHA51240191698c85b5cd0d6d9692a47d82cc712aa4b3ac20457343498da072ab7ccca224687e4943a6331657a4e394c47dcfdf0dd212960a6278cf50ec5d25b3bdca7
-
Filesize
18KB
MD5494c18eec59cf14e8ef1e12472911688
SHA12a618fabe7449bd2e7901a2fa048bdf6603289dd
SHA256eeaee9d74effdc7ca9a8c56dbb387cc2e86450f55ec5bbd0bd02bc2a10e9ef30
SHA512a630cbe16b481e42af35080413a43ea16bc288d7525793b64a6d1051d3796f52260a727c77d164c595e1f29cd6afc0b64a260e1bec82fb2f0b0894f30a604302
-
Filesize
15KB
MD5a95d7c1b2779e580ea365fd187394f3c
SHA19387e6d3c6939b9274b37d8c4013d489b5161929
SHA256d8e27a4bd8ab7638f471e296f03be0fd96dd89509ee091a351682ebc26652c6d
SHA512a756a95d11f9b04a5a26e279a4ecf9344b0a2f42f0736d42ed2b1a71959abdb9c64bcc1f95bea16932936e0890fc61215ca276a2f5c0789ccd4da61e8b0e9c39
-
Filesize
18KB
MD5fb1b8e4cf7419a84a372c2c1fec09418
SHA166e1a693201f3e5148ef089f88cd92556859a685
SHA2567069ae83d43f9fa57c84ffeb127c19160508145a901162f5e971810c7f28e144
SHA512f9ff6f50833058c6dddac59dc6bd8a36648fb6d1a3a4620e5cd01d1d5d9ba223c86089745a66d86b978d795e331519a0575006f38b7c08989839157ce1a6c32b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
5.8MB
MD5a4f3e603a335cbd6d8f9ff11c8f9a9c2
SHA1a5de59863fb4acc05a9253562172f802420ed21b
SHA2562c1b6a652a62f7fde53d2e84e1211fef21dfde9eb0d4e2879bd997733af77a3e
SHA512659d0175f4f496f5af6846f0af20345dec842c29eec7e78870b96d96bc712a39684be7a2cff1decabb6e447a477ddf8b92a1b22a12fe6ca07b1fd762540452f2
-
Filesize
5.8MB
MD5a4f3e603a335cbd6d8f9ff11c8f9a9c2
SHA1a5de59863fb4acc05a9253562172f802420ed21b
SHA2562c1b6a652a62f7fde53d2e84e1211fef21dfde9eb0d4e2879bd997733af77a3e
SHA512659d0175f4f496f5af6846f0af20345dec842c29eec7e78870b96d96bc712a39684be7a2cff1decabb6e447a477ddf8b92a1b22a12fe6ca07b1fd762540452f2
-
Filesize
2.3MB
MD5a08e5952ddaaabe4b7deaf30e3e522d3
SHA1d111978b9e2ea04f53ce48a36a4fde0e0e900ba3
SHA25652e3418b1b6e40efcfe1f6509e91da1f2f87bcd4f815cae8d1e89a0ebd6be58f
SHA5122f4433af151bf7cbf62087206a6bbc4a77dfbf4c5a873edf7828bd54997105f0f413afc21255ea628e648b75c4b82f6a1d402d00fa9f21d01a4013e504195cea
-
Filesize
2.3MB
MD5a08e5952ddaaabe4b7deaf30e3e522d3
SHA1d111978b9e2ea04f53ce48a36a4fde0e0e900ba3
SHA25652e3418b1b6e40efcfe1f6509e91da1f2f87bcd4f815cae8d1e89a0ebd6be58f
SHA5122f4433af151bf7cbf62087206a6bbc4a77dfbf4c5a873edf7828bd54997105f0f413afc21255ea628e648b75c4b82f6a1d402d00fa9f21d01a4013e504195cea
-
Filesize
828KB
MD5494969d84ee004227da4051403cbc098
SHA1befd216439b68c83899476ea7bf5c7eff025bdc6
SHA256c92db9ae788154a5b6f08a648e663000803dfba5aa893cfaef69b18c06d7fc48
SHA512ddc6d8745fb4b5c89990da7e85c5475a1fe91ece05b127258c85ad78d63a137a383bbf5a798c1b54d49d7506b53c03677bafa17ef7c8080f8f5bde1ebf552676
-
Filesize
828KB
MD5494969d84ee004227da4051403cbc098
SHA1befd216439b68c83899476ea7bf5c7eff025bdc6
SHA256c92db9ae788154a5b6f08a648e663000803dfba5aa893cfaef69b18c06d7fc48
SHA512ddc6d8745fb4b5c89990da7e85c5475a1fe91ece05b127258c85ad78d63a137a383bbf5a798c1b54d49d7506b53c03677bafa17ef7c8080f8f5bde1ebf552676
-
Filesize
1.3MB
MD57bf2898f75b3974d2c53999f8d3f40fb
SHA1c406aeef85ed1ce026b98b858af4be62da421119
SHA256c1a074fed48daff62eefa0cadc7e5f77186dd437acac684b379946c09cc6d208
SHA51220ec8430d1b1695ca943b1c9c759339be2facec42ff0086703a9f90ed7c684c1097dfed2a0dec9820d8949c4216c33767f9ef147aa38ba30e01cf9b5fe6f0676
-
Filesize
1.3MB
MD57bf2898f75b3974d2c53999f8d3f40fb
SHA1c406aeef85ed1ce026b98b858af4be62da421119
SHA256c1a074fed48daff62eefa0cadc7e5f77186dd437acac684b379946c09cc6d208
SHA51220ec8430d1b1695ca943b1c9c759339be2facec42ff0086703a9f90ed7c684c1097dfed2a0dec9820d8949c4216c33767f9ef147aa38ba30e01cf9b5fe6f0676
-
Filesize
40KB
-
Filesize
408KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
624KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
104KB
-
Filesize
64KB
-
Filesize
6.5MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
216KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
64KB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
5.9MB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
868KB
-
Filesize
868KB
-
Filesize
868KB
-
Filesize
868KB
-
Filesize
2.3MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
472KB
-
Filesize
624KB
-
Filesize
120KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
136KB
-
Filesize
104KB
-
Filesize
600KB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
216KB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1.3MB
-
Filesize
840KB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
64KB