0b29711ec115c27f4cd6963b9ea1e4febf15624f1c17d1c018611ee3df8c333c

Analysis

max time kernel
119s
max time network
131s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
20-04-2024 16:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AsyncRAT/AsyncRAT.exe.xml
Size

5KB
MD5

cb1f2dcfeb5cbb5af8efa7ea40b8e908
SHA1

ceb040761554040cac2fc7ca18623498d3bfc7ce
SHA256

58f956abe9d717683f4a1cfa6f70e256c80461315a8d47b6456116b3d3075372
SHA512

f0d805bb7983a111b7083e08d5e53c30dd78a0a5fa2baa2af6c5d3395475a3399fd085d151cc8cce312c7eb3e11ac7c2cc78c49ff8a9bfba4b6ad6585caeaeea
SSDEEP

96:ur71Y7KY7KPrv0bGiver/apdgaRzV6RnwhXIJ0bGiveLapdgaRzV6RQyYKS4Ypy1:ur7S7L7OrTbCyYKS/pvrsJ+J/qJvr

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc23300000000020000000000106600000001000020000000f8a1c5ff0581db7b00e84a04428eb857165c2549a04840b2ae61ee4d07dc7794000000000e80000000020000200000008ba7570d4192308cf372d34359b72e984425a5cff7fbcd27e166421a04b086b090000000bccb128c676c506cea136fc9b848a775953b746b3ae1850f8f0dd284a52ba7732b60ba9ab24d914c3ceeb05b4ac1968fb8f32152f03ebb4e008bd70a0de459d8dea435774c49dcb11eec8b76129b7b9c7eca9aecced1fed0af2075a163039aabfc528efc97666e46ebb426ba51a5f717620ec2d191acaa3b5a0c5403dcab7df9ba4c3c4f57fada0b3528b850a83ed63440000000d5b67fae4c6cae73514ab46f4424b325e84cae38be50be3fd1b68d73023a802d7ada80d3274fab279e83acc9dceb99f4d3d947ebe7c66693a0acb086138ea30c	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc233000000000200000000001066000000010000200000004e071cdd31114068a8ecc54e51aec15698415cb0dec10544535f14121cea0363000000000e800000000200002000000024d916ea32f034012f69530862a487ff4c8070b5095304b4200d91ffb44d9b7220000000640173f0584258ffa00d1ef9cc9895d96fd3922e5632fb197552a9ad1aec8af140000000ace1b2916af590b5a1b885d68101200328f3d6fc0cce3a802e0d094ba180c9737a8d7a965ab0f5990d53a5665eaec678223960b5bd4a85d8d533ed1e6832d512	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D7544511-FF2F-11EE-8B56-EE69C2CE6029} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "419791013"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10acd7ab3c93da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2212 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

2212 IEXPLORE.EXE
2212 IEXPLORE.EXE
2604 IEXPLORE.EXE
2604 IEXPLORE.EXE
2604 IEXPLORE.EXE
2604 IEXPLORE.EXE

pid	process
2212	IEXPLORE.EXE

pid	process
2212	IEXPLORE.EXE
2212	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 2184 wrote to memory of 2472	2184	MSOXMLED.EXE	iexplore.exe
PID 2184 wrote to memory of 2472	2184	MSOXMLED.EXE	iexplore.exe
PID 2184 wrote to memory of 2472	2184	MSOXMLED.EXE	iexplore.exe
PID 2184 wrote to memory of 2472	2184	MSOXMLED.EXE	iexplore.exe
PID 2472 wrote to memory of 2212	2472	iexplore.exe	IEXPLORE.EXE
PID 2472 wrote to memory of 2212	2472	iexplore.exe	IEXPLORE.EXE
PID 2472 wrote to memory of 2212	2472	iexplore.exe	IEXPLORE.EXE
PID 2472 wrote to memory of 2212	2472	iexplore.exe	IEXPLORE.EXE
PID 2212 wrote to memory of 2604	2212	IEXPLORE.EXE	IEXPLORE.EXE
PID 2212 wrote to memory of 2604	2212	IEXPLORE.EXE	IEXPLORE.EXE
PID 2212 wrote to memory of 2604	2212	IEXPLORE.EXE	IEXPLORE.EXE
PID 2212 wrote to memory of 2604	2212	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2184

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
2⤵
- Suspicious use of WriteProcessMemory
PID:2472

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2212

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2212 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
01a1687320cef6eff88695b03bd1e961

SHA1
cab2ab0a61b2fa535789ec46bb1970aba24a53fa

SHA256
34b0140f8b14664c7131173e41f16d64fa11b29917b096f480ea9a3a300a142d

SHA512
4e88ad4d5520dceb3abff96efb3354cdcfc598ea201685e07b66a1090def6d63e51928e1832ea959b914d1b24cb3b58ba6399cbed60f41cad58fbd15ceee7846

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
1d6e4a332b6b80314649ec027068b2b2

SHA1
d1e8960e93580998d567cf7f8ed77d945befd85b

SHA256
4307323f12a3d8444a9d417c67d92d0aef1cbb834585be5ae4c6d2e099478fb0

SHA512
8c45d717325f7973ec5004fc02e201cd0f6034d99a690de9e274481da1ddfdd3fbe41ae3784953a479a4e16c8dcbb0a37c3bd2500708a554fa98e6143c3e7d2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
655d09eda034892ad5689b6df392ae55

SHA1
d6c6860425d89fca3aacb4fa343e04c31441c7ac

SHA256
91c4f7a50e81102e2e03d2c441a488fe96cac52f67fc31d592bb0f879b2edab8

SHA512
306c4258376d081c203299a9de138d75c08c750cdc4be2cd38c3a44b812a2abd6534a222d33cfe5e9753ff1623a560cf7a79488e4c770fd36c4a47006b58c0d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a4ca17f0eecc9e820e70c4ae18267c34

SHA1
f3726732c895876dc1f94f1a87608bb7c84986c9

SHA256
f9016393204019089f3aaa4d0c2540a69523254ccdff874145e3257006659a5c

SHA512
da51a99b311d28586f3ab117a1e46fd7fdc3ebbad46328bd9f2f448defb80661594badc33ba548534c9a64f47bd2e9809529f289a6213f21025c5fb4d16bdba4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
860414e853bc33046f4c3db33f864695

SHA1
b66a11eaca912aaedb1957a40e2954c8368520c9

SHA256
982f3cbe96d75c23cbcebeab343ef965332f41abf9b65c670a9c7b0a4b53355c

SHA512
2eb123f97ecfcdbb86f63049d5166d1d62840fcf60041b349265fc236bdabf5de6e4ea8a9adad36e630b275d2961669fc0586e7c762fdd376d97560d391dce8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4e208a65c9a127a9fa3b13e7df773e56

SHA1
1bfa1d0b5bbcc1c9f91afa0bd4431dbdb5f570a6

SHA256
b68e5bea8f6aadfbc491aa10d4f7af5899bd11eafaebe1689e88e8eee2ac31a6

SHA512
8b875a773f90caf4b31c0f831b659de17939f8af05b7509d68eac4d846f3ef4da6cbfc8a7bb28cadc5648261eb2e673fdfebcf06b8afcb33d85f0364eca07e13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
981231e8a5c9d035c8d8cf90af419ec8

SHA1
f00fbc5be33539732209b80db53d7b976021823f

SHA256
846e33d30081b96a58756a2b9b87c796596ea9687a79f5c99d7b1fd29986e305

SHA512
c0352f205cdd7e2a35e9527af92cb1cafcecfbc9485d638dcd418f53628b254a86873b5f3d47f5e163a85a803fa7b3f32abb40014d924a43f9f5d70684bbc576

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e201e8b7ddbdfe55c5eb19e9d7a9be2c

SHA1
530a11d3e768530bdbea9eab6f537d6e917ab813

SHA256
05bb9ae328b85930b2e6bf51b38d005c22bf06d8a214389a92e3dde858419af6

SHA512
5abd0fee7fa424f69902c4e2bfc5a7b16c30dc360b896c1e62bddb316da0c98772f2eada41ec6e04e276c9e1766a77e51c3f81e8b81ddb82f83f1818ba346f86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7b7cc2cf6aa61a58a03c00761158c5f6

SHA1
d1dad92e804a107f030441732ff26eb0559537f1

SHA256
0b30a20dbebd6d0372a99aad67b24ce7df064fc6bcc97f8deb1d67eebd925234

SHA512
dbdaa4b02f5754075c463dd21ac6540e6b9c7796eccd665320fd13c1ca31e83fbee816a16ec21a597e8a72ce826a0ab09f8c1c4da44c8830a8a8ae043d1002ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9b5081ac530cbe8e52858a8d297c9e51

SHA1
5c4b4ba5302a8ce72f2e37e6111ebd03d9ac7a1a

SHA256
40d6c9670037edc479ab1ccf50a257f7cf19db4ed53270d5bf46f1d0975faf4a

SHA512
0cb1ac37924edad3e8c2f3530f9d887a964f58d9c83c59062d14bab81a2ea99823eb149f33c264b0835b86a84962fc10c0e9fabc79e055cb50dbed98411f9d56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ff055af2525441ae73b45fa656b7058a

SHA1
25d942b2424174d756ca5f37d735cdf2516f71f4

SHA256
388d337b630ccd4a3eb9492f11e4c81e1a580eee1797ceeedc2979e9844b1010

SHA512
fb83b4edcb1544ff4f26b1553cf57aa6443b6386692cceaf66b65f36efa4a878148a2940514ee9b4798436fd63951db1ca64b58c42e946c946995092b9bca189

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab26D5.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar27F5.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit