Analysis Overview
SHA256
5f2ff12584a99c9720d27bf219ec4691f80ea258d71e391ca28f4590f360a775
Threat Level: Known bad
The file f9235b9b51702c123e3b6c8c7dafaad1_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Async RAT payload
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Program crash
NSIS installer
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-19 00:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-19 00:51
Reported
2024-04-19 00:53
Platform
win10v2004-20240412-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1488 wrote to memory of 3860 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1488 wrote to memory of 3860 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1488 wrote to memory of 3860 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3860 wrote to memory of 4464 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3860 wrote to memory of 4464 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3860 wrote to memory of 4464 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\vzjtdshtcu.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\vzjtdshtcu.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\vzjtdshtcu.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.126.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
Files
memory/3860-0-0x00000000749F0000-0x00000000749FB000-memory.dmp
memory/3860-1-0x00000000749F0000-0x00000000749FB000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-19 00:51
Reported
2024-04-19 00:53
Platform
win7-20240221-en
Max time kernel
147s
Max time network
146s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Edge.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Edge.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f9235b9b51702c123e3b6c8c7dafaad1_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Edge.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1940 set thread context of 2364 | N/A | C:\Users\Admin\AppData\Local\Temp\f9235b9b51702c123e3b6c8c7dafaad1_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\f9235b9b51702c123e3b6c8c7dafaad1_JaffaCakes118.exe |
| PID 2492 set thread context of 2372 | N/A | C:\Users\Admin\AppData\Roaming\Edge.exe | C:\Users\Admin\AppData\Roaming\Edge.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\f9235b9b51702c123e3b6c8c7dafaad1_JaffaCakes118.exe |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f9235b9b51702c123e3b6c8c7dafaad1_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f9235b9b51702c123e3b6c8c7dafaad1_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f9235b9b51702c123e3b6c8c7dafaad1_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f9235b9b51702c123e3b6c8c7dafaad1_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Edge.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f9235b9b51702c123e3b6c8c7dafaad1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f9235b9b51702c123e3b6c8c7dafaad1_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\f9235b9b51702c123e3b6c8c7dafaad1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f9235b9b51702c123e3b6c8c7dafaad1_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 476
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Edge" /tr '"C:\Users\Admin\AppData\Roaming\Edge.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp22DC.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Edge" /tr '"C:\Users\Admin\AppData\Roaming\Edge.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\Edge.exe
"C:\Users\Admin\AppData\Roaming\Edge.exe"
C:\Users\Admin\AppData\Roaming\Edge.exe
"C:\Users\Admin\AppData\Roaming\Edge.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tinrinrin.kozow.com | udp |
| NL | 45.137.22.138:9091 | tinrinrin.kozow.com | tcp |
| NL | 45.137.22.138:9091 | tinrinrin.kozow.com | tcp |
| NL | 45.137.22.138:9091 | tinrinrin.kozow.com | tcp |
| NL | 45.137.22.138:9091 | tinrinrin.kozow.com | tcp |
| NL | 45.137.22.138:9091 | tinrinrin.kozow.com | tcp |
| US | 8.8.8.8:53 | tinrinrin.kozow.com | udp |
| NL | 45.137.22.138:9091 | tinrinrin.kozow.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\nso12C7.tmp\vzjtdshtcu.dll
| MD5 | 433747be519bda968dfcb35f6970fa5b |
| SHA1 | faaea3969400d0302544ad4fd9cb031b7637936f |
| SHA256 | 5d362cfb794eebda011289c7ffaf328b9537e87dca13e79d60508773b538f6c6 |
| SHA512 | 6a97c1f265546f71910bad5465c767314ed97e2246363e25077471db1a5cfdd92a56b1da02e8620775fdbc8a231636f147c6e66c781b38f03fe05b3da256530a |
memory/1940-7-0x00000000744B0000-0x00000000744BB000-memory.dmp
memory/2364-9-0x0000000000400000-0x000000000044B000-memory.dmp
memory/2364-11-0x0000000000400000-0x000000000044B000-memory.dmp
memory/2364-12-0x0000000000400000-0x000000000044B000-memory.dmp
memory/2364-15-0x0000000073A60000-0x000000007414E000-memory.dmp
memory/2364-16-0x00000000044E0000-0x0000000004520000-memory.dmp
memory/2364-14-0x00000000044A0000-0x00000000044B2000-memory.dmp
memory/2364-17-0x00000000044E0000-0x0000000004520000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp22DC.tmp.bat
| MD5 | 1234bf33a9c719460a79c10b806b5f2e |
| SHA1 | bca7bb341b584e7d08f90d0b8ad2d1f6e15c5e7a |
| SHA256 | 43ff16cd019a18fb19ffaad7b4713ee7ba42266b6f632e5614a0e416a30ffe0e |
| SHA512 | 5df83d82dca126b8c3e09ebfd8cdf9da3364260f65d1c97fe0a3da6142de01969909601ce9994dc874917cb0541a7550645acf99c59d55b5ec756da84da2932c |
memory/2364-26-0x0000000000400000-0x000000000044B000-memory.dmp
memory/2364-28-0x0000000073A60000-0x000000007414E000-memory.dmp
\Users\Admin\AppData\Roaming\Edge.exe
| MD5 | f9235b9b51702c123e3b6c8c7dafaad1 |
| SHA1 | 9e5867039896c5d1e5f06185dc0eeb9d4a53ac5a |
| SHA256 | 5f2ff12584a99c9720d27bf219ec4691f80ea258d71e391ca28f4590f360a775 |
| SHA512 | a21857672861bbaff86a5cedb9cc04df4f05a9a948135336849b6d8f2112da85de2a0b71de7e75dad7ddc66b4a80dfb53094ea91650f2e2ba96b9db13f77ba0b |
C:\Users\Admin\AppData\Local\Temp\nn8lgmg7r8qsag
| MD5 | 5fe8fec5a32be9df8bf109e10e2b8bd2 |
| SHA1 | 8e5f954d496977e1368c0198696e5d4990096238 |
| SHA256 | 96400e822c64df8d089c7205afb181cb66494b78d09e0a04ae0da7f39ebbdbf5 |
| SHA512 | d4631c27413ae63af92427ffb9831e3fa2909669046943eedead511621e53d17355a60f22209638ec78ed106a6967657a377a12397339eaf5a99517ac1adaec2 |
memory/2492-41-0x0000000074220000-0x000000007422B000-memory.dmp
memory/2492-46-0x0000000074220000-0x000000007422B000-memory.dmp
memory/2372-47-0x0000000000400000-0x000000000044B000-memory.dmp
memory/1940-49-0x00000000744B0000-0x00000000744BB000-memory.dmp
memory/2372-48-0x0000000000400000-0x000000000044B000-memory.dmp
memory/2372-50-0x0000000072880000-0x0000000072F6E000-memory.dmp
memory/2372-52-0x0000000004400000-0x0000000004440000-memory.dmp
memory/2372-51-0x0000000004400000-0x0000000004440000-memory.dmp
memory/2372-56-0x0000000004400000-0x0000000004440000-memory.dmp
memory/2372-55-0x0000000072880000-0x0000000072F6E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-19 00:51
Reported
2024-04-19 00:54
Platform
win10v2004-20240412-en
Max time kernel
164s
Max time network
165s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f9235b9b51702c123e3b6c8c7dafaad1_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Edge.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Edge.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f9235b9b51702c123e3b6c8c7dafaad1_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Edge.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4512 set thread context of 4640 | N/A | C:\Users\Admin\AppData\Local\Temp\f9235b9b51702c123e3b6c8c7dafaad1_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\f9235b9b51702c123e3b6c8c7dafaad1_JaffaCakes118.exe |
| PID 2540 set thread context of 1984 | N/A | C:\Users\Admin\AppData\Roaming\Edge.exe | C:\Users\Admin\AppData\Roaming\Edge.exe |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f9235b9b51702c123e3b6c8c7dafaad1_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Edge.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f9235b9b51702c123e3b6c8c7dafaad1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f9235b9b51702c123e3b6c8c7dafaad1_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\f9235b9b51702c123e3b6c8c7dafaad1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f9235b9b51702c123e3b6c8c7dafaad1_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Edge" /tr '"C:\Users\Admin\AppData\Roaming\Edge.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4DD.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Edge" /tr '"C:\Users\Admin\AppData\Roaming\Edge.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\Edge.exe
"C:\Users\Admin\AppData\Roaming\Edge.exe"
C:\Users\Admin\AppData\Roaming\Edge.exe
"C:\Users\Admin\AppData\Roaming\Edge.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tinrinrin.kozow.com | udp |
| NL | 45.137.22.138:9091 | tinrinrin.kozow.com | tcp |
| NL | 45.137.22.138:9091 | tinrinrin.kozow.com | tcp |
| NL | 45.137.22.138:9091 | tinrinrin.kozow.com | tcp |
| NL | 45.137.22.138:9091 | tinrinrin.kozow.com | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
| NL | 45.137.22.138:9091 | tinrinrin.kozow.com | tcp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nscD959.tmp\vzjtdshtcu.dll
| MD5 | 433747be519bda968dfcb35f6970fa5b |
| SHA1 | faaea3969400d0302544ad4fd9cb031b7637936f |
| SHA256 | 5d362cfb794eebda011289c7ffaf328b9537e87dca13e79d60508773b538f6c6 |
| SHA512 | 6a97c1f265546f71910bad5465c767314ed97e2246363e25077471db1a5cfdd92a56b1da02e8620775fdbc8a231636f147c6e66c781b38f03fe05b3da256530a |
memory/4512-6-0x00000000749C0000-0x00000000749CB000-memory.dmp
memory/4640-9-0x0000000000400000-0x000000000044B000-memory.dmp
memory/4640-10-0x0000000000400000-0x000000000044B000-memory.dmp
memory/4640-11-0x0000000000400000-0x000000000044B000-memory.dmp
memory/4512-12-0x00000000749C0000-0x00000000749CB000-memory.dmp
memory/4640-13-0x0000000000400000-0x000000000044B000-memory.dmp
memory/4640-14-0x0000000074CD0000-0x0000000075480000-memory.dmp
memory/4640-15-0x0000000004980000-0x0000000004990000-memory.dmp
memory/4640-16-0x00000000048F0000-0x0000000004902000-memory.dmp
memory/4640-17-0x0000000004980000-0x0000000004990000-memory.dmp
memory/4640-18-0x0000000004A90000-0x0000000004B2C000-memory.dmp
memory/4640-23-0x0000000000400000-0x000000000044B000-memory.dmp
memory/4640-26-0x0000000074CD0000-0x0000000075480000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp4DD.tmp.bat
| MD5 | 8a29a4f9dd28a280b377db59ff3945dc |
| SHA1 | b53ec44bb07e3eff4eb5ae646144876d752c9cc8 |
| SHA256 | 9d319914f32a24144e7a91def291bcbdb8a99a596d19f02d69f18db076907b1e |
| SHA512 | 662221ddede45fefdcacdd9c564e08126c5a396645c0a9e853cfc28a24eaee1fb4d7bb6fc799fe36a46102ecaa879c03bdf4e82b140b9c0f21a2bd223e27c671 |
C:\Users\Admin\AppData\Roaming\Edge.exe
| MD5 | f9235b9b51702c123e3b6c8c7dafaad1 |
| SHA1 | 9e5867039896c5d1e5f06185dc0eeb9d4a53ac5a |
| SHA256 | 5f2ff12584a99c9720d27bf219ec4691f80ea258d71e391ca28f4590f360a775 |
| SHA512 | a21857672861bbaff86a5cedb9cc04df4f05a9a948135336849b6d8f2112da85de2a0b71de7e75dad7ddc66b4a80dfb53094ea91650f2e2ba96b9db13f77ba0b |
C:\Users\Admin\AppData\Local\Temp\nn8lgmg7r8qsag
| MD5 | 5fe8fec5a32be9df8bf109e10e2b8bd2 |
| SHA1 | 8e5f954d496977e1368c0198696e5d4990096238 |
| SHA256 | 96400e822c64df8d089c7205afb181cb66494b78d09e0a04ae0da7f39ebbdbf5 |
| SHA512 | d4631c27413ae63af92427ffb9831e3fa2909669046943eedead511621e53d17355a60f22209638ec78ed106a6967657a377a12397339eaf5a99517ac1adaec2 |
memory/2540-39-0x00000000749C0000-0x00000000749CB000-memory.dmp
memory/2540-44-0x00000000749C0000-0x00000000749CB000-memory.dmp
memory/1984-43-0x0000000000400000-0x000000000044B000-memory.dmp
memory/1984-45-0x0000000000400000-0x000000000044B000-memory.dmp
memory/1984-46-0x0000000000400000-0x000000000044B000-memory.dmp
memory/1984-47-0x0000000073CC0000-0x0000000074470000-memory.dmp
memory/1984-48-0x0000000004930000-0x0000000004940000-memory.dmp
memory/1984-49-0x0000000004930000-0x0000000004940000-memory.dmp
memory/1984-50-0x0000000004930000-0x0000000004940000-memory.dmp
memory/1984-51-0x0000000004930000-0x0000000004940000-memory.dmp
memory/1984-54-0x0000000073CC0000-0x0000000074470000-memory.dmp
memory/1984-56-0x0000000004930000-0x0000000004940000-memory.dmp
memory/1984-57-0x0000000004930000-0x0000000004940000-memory.dmp
memory/1984-55-0x0000000004930000-0x0000000004940000-memory.dmp
memory/1984-58-0x0000000004930000-0x0000000004940000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-19 00:51
Reported
2024-04-19 00:53
Platform
win7-20240221-en
Max time kernel
118s
Max time network
123s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Edge.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1752 set thread context of 2620 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\vzjtdshtcu.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\vzjtdshtcu.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\vzjtdshtcu.dll,#1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Edge" /tr '"C:\Users\Admin\AppData\Roaming\Edge.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpAA63.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Edge" /tr '"C:\Users\Admin\AppData\Roaming\Edge.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\Edge.exe
"C:\Users\Admin\AppData\Roaming\Edge.exe"
Network
Files
memory/1752-0-0x0000000075270000-0x000000007527B000-memory.dmp
memory/1752-1-0x0000000075270000-0x000000007527B000-memory.dmp
memory/1752-2-0x0000000075030000-0x000000007503B000-memory.dmp
memory/2620-3-0x0000000000400000-0x000000000044B000-memory.dmp
memory/1752-4-0x0000000075270000-0x000000007527B000-memory.dmp
memory/2620-7-0x0000000000400000-0x000000000044B000-memory.dmp
memory/1752-6-0x0000000075030000-0x000000007503B000-memory.dmp
memory/2620-9-0x0000000000400000-0x000000000044B000-memory.dmp
memory/2620-11-0x0000000074830000-0x0000000074F1E000-memory.dmp
memory/2620-12-0x0000000004440000-0x0000000004480000-memory.dmp
memory/2620-10-0x00000000001F0000-0x0000000000202000-memory.dmp
memory/2620-13-0x0000000004440000-0x0000000004480000-memory.dmp
memory/2620-14-0x0000000004440000-0x0000000004480000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpAA63.tmp.bat
| MD5 | ec53e73a3c28aa74733e251301331bcd |
| SHA1 | b27fce60a7a9e90233fb24f2d573e21b9f5a68df |
| SHA256 | af84a47038199603abefb5f265bb3bfea92fd7fede32a218e6e34262c6a965aa |
| SHA512 | 77b46bc21b2b03fe766f28e151842e5586a6739b06f3146dcd366ac914cd32b02c169a12f68d29d380325807743727700d00e123ddca2d6cc859dace0e6a6ae8 |
memory/2620-24-0x0000000074830000-0x0000000074F1E000-memory.dmp
\Users\Admin\AppData\Roaming\Edge.exe
| MD5 | 51138beea3e2c21ec44d0932c71762a8 |
| SHA1 | 8939cf35447b22dd2c6e6f443446acc1bf986d58 |
| SHA256 | 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124 |
| SHA512 | 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d |