Analysis
-
max time kernel
171s -
max time network
265s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
10/10/2023, 21:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
AnyDesk.exe
Resource
win7-20230831-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
AnyDesk.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral3
Sample
desk.exe
Resource
win7-20230831-en
windows7-x64
1 signatures
150 seconds
General
-
Target
desk.exe
-
Size
500.0MB
-
MD5
16314cacd74e109fc9ad1c5df2eb8664
-
SHA1
3cc9bb0d38c78d3d9303ad08fc2a13a53ccfedf1
-
SHA256
1a1585293a6ca4c99e44574d2162614f2cb25756f3363b65c36259b98f632b19
-
SHA512
149b6792aa6d60b9998bd8053dc871722a8cb0f76293ad49daa7333ed37e5e5bb24c5b3c9d169f777f07c15fd03c6b975b2ea5dda0025bcd4936aa369eda9b2c
-
SSDEEP
12288:U+16R2LddlvB2v25xRMru65uZEKG+uaUMVQQSsbCGe1f:U0JLddlvj5xyF5uZEKGaRVTSsb9+f
Malware Config
Extracted
Family
asyncrat
Version
| Cracked By Hegaa
Botnet
XXNEWWXX
C2
webwdircetcc.sytes.net:3232
webazssc.sytes.net:3232
webazsswebc.sytes.net:3232
webwsetcc.sytes.net:3232
Mutex
中文翻译缅甸语翻译缅甸语
Attributes
-
delay
3
-
install
false
-
install_folder
%AppData%
aes.plain
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 4980 created 3192 4980 desk.exe 68 -
Async RAT payload 1 IoCs
resource yara_rule behavioral4/memory/3380-7-0x0000024BE8A50000-0x0000024BE8A64000-memory.dmp asyncrat -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4980 desk.exe 3380 notepad.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
pid Process 4980 desk.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3380 notepad.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3380 notepad.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4980 wrote to memory of 2016 4980 desk.exe 91 PID 4980 wrote to memory of 2016 4980 desk.exe 91 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92 PID 4980 wrote to memory of 3380 4980 desk.exe 92
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3192
-
C:\Users\Admin\AppData\Local\Temp\desk.exe"C:\Users\Admin\AppData\Local\Temp\desk.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SYSTEM32\notepad.exenotepad.exe3⤵PID:2016
-
-
-
C:\Windows\System32\notepad.exeC:\Windows\System32\notepad.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3380
-