asyncrat | 0824eac1ce23de2321bce82efce874ab3c213d15f1a120d8ec08c85c7fbc250b

General

Target

093bc49ab25cc6a20d95155db80f1fa8.exe
Size

753KB
MD5

093bc49ab25cc6a20d95155db80f1fa8
SHA1

b1ed1ffa34d4e909e30e8a3a299a22d5101380e1
SHA256

0824eac1ce23de2321bce82efce874ab3c213d15f1a120d8ec08c85c7fbc250b
SHA512

bec9a628e91f16cd4bdfcda85f30a447ab2e817acdfcee307187cb2d5aaff32eb3fa3b659f810aca40290f97ff59122873d60e3fe9988d2195da0b6cb0870722
SSDEEP

12288:mUvKFtlyYqn58iP23JOcXYkrCQNkfCVvd487NYe3VqiYT6K3ifW+Janl:glyY058i0OuIQNkfCb4IV2iW+Janl

Score

10^/10

asyncrat darkcomet 2024+may3333-newcrt persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

2024+May3333-newcrt

C2

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-M4P4YFY

Attributes

InstallPath
rar.exe
gencode
jSEma97mAgP2
install
true
offline_keylogger
true
password
hhhhhh
persistence
true
reg_key
winrar

Extracted

Family

asyncrat

Version

0.5.6A

C2

dgorijan20785.hopto.org:6606

dgorijan20785.hopto.org:7707

dgorijan20785.hopto.org:8808

Mutex

v5tvc4rc3ex778899

Attributes

delay
5
install
true
install_file
audiodrvs.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

sms48FF.tmp

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\rar.exe"	sms48FF.tmp

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\sms4B70.tmp	family_asyncrat

Drops file in Drivers directory 1 IoCs

Processes:

sms48FF.tmp

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts sms48FF.tmp

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	sms48FF.tmp

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sms48FF.tmpPRINTSERV.EXEsms4B70.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	sms48FF.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	PRINTSERV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	sms4B70.tmp

Executes dropped EXE 7 IoCs

Processes:

sms48FF.tmpCHROMEL.EXEPRINTSERV.EXEsms4B70.tmpPRINTSERV.EXErar.exeaudiodrvs.exe

pid process

4328 sms48FF.tmp
2928 CHROMEL.EXE
220 PRINTSERV.EXE
3124 sms4B70.tmp
4772 PRINTSERV.EXE
4124 rar.exe
4320 audiodrvs.exe

pid	process
4328	sms48FF.tmp
2928	CHROMEL.EXE
220	PRINTSERV.EXE
3124	sms4B70.tmp
4772	PRINTSERV.EXE
4124	rar.exe
4320	audiodrvs.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\sms48FF.tmp	upx
behavioral2/memory/4328-11-0x0000000000400000-0x000000000055B000-memory.dmp	upx
behavioral2/memory/4328-12-0x0000000000400000-0x000000000055B000-memory.dmp	upx
behavioral2/memory/4328-118-0x0000000000400000-0x000000000055B000-memory.dmp	upx
behavioral2/memory/4124-126-0x0000000000400000-0x000000000055B000-memory.dmp	upx
behavioral2/memory/4124-136-0x0000000000400000-0x000000000055B000-memory.dmp	upx
behavioral2/memory/4124-139-0x0000000000400000-0x000000000055B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

sms48FF.tmprar.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winrar = "C:\\Users\\Admin\\Documents\\rar.exe"	sms48FF.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winrar = "C:\\Users\\Admin\\Documents\\rar.exe"	rar.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3856 schtasks.exe
3008 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

984 timeout.exe
Modifies registry class 1 IoCs

Processes:

sms48FF.tmp

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ sms48FF.tmp

pid	process
3856	schtasks.exe
3008	schtasks.exe

pid	process
984	timeout.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sms48FF.tmp

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

PRINTSERV.EXEsms4B70.tmpaudiodrvs.exe

pid	process
4772	PRINTSERV.EXE
4772	PRINTSERV.EXE
4772	PRINTSERV.EXE
4772	PRINTSERV.EXE
4772	PRINTSERV.EXE
4772	PRINTSERV.EXE
4772	PRINTSERV.EXE
4772	PRINTSERV.EXE
4772	PRINTSERV.EXE
4772	PRINTSERV.EXE
3124	sms4B70.tmp
3124	sms4B70.tmp
3124	sms4B70.tmp
3124	sms4B70.tmp
3124	sms4B70.tmp
3124	sms4B70.tmp
3124	sms4B70.tmp
3124	sms4B70.tmp
3124	sms4B70.tmp
3124	sms4B70.tmp
3124	sms4B70.tmp
3124	sms4B70.tmp
3124	sms4B70.tmp
3124	sms4B70.tmp
3124	sms4B70.tmp
3124	sms4B70.tmp
3124	sms4B70.tmp
3124	sms4B70.tmp
3124	sms4B70.tmp
3124	sms4B70.tmp
3124	sms4B70.tmp
3124	sms4B70.tmp
3124	sms4B70.tmp
3124	sms4B70.tmp
4772	PRINTSERV.EXE
4772	PRINTSERV.EXE
4772	PRINTSERV.EXE
4772	PRINTSERV.EXE
4772	PRINTSERV.EXE
4772	PRINTSERV.EXE
4772	PRINTSERV.EXE
4772	PRINTSERV.EXE
4772	PRINTSERV.EXE
4772	PRINTSERV.EXE
4772	PRINTSERV.EXE
4772	PRINTSERV.EXE
4772	PRINTSERV.EXE
4772	PRINTSERV.EXE
4772	PRINTSERV.EXE
4772	PRINTSERV.EXE
4772	PRINTSERV.EXE
4772	PRINTSERV.EXE
4320	audiodrvs.exe
4772	PRINTSERV.EXE
4772	PRINTSERV.EXE
4772	PRINTSERV.EXE
4772	PRINTSERV.EXE
4772	PRINTSERV.EXE
4772	PRINTSERV.EXE
4772	PRINTSERV.EXE
4772	PRINTSERV.EXE
4772	PRINTSERV.EXE
4772	PRINTSERV.EXE
4772	PRINTSERV.EXE

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

sms48FF.tmprar.exesms4B70.tmpPRINTSERV.EXEaudiodrvs.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4328	sms48FF.tmp
Token: SeSecurityPrivilege	4328	sms48FF.tmp
Token: SeTakeOwnershipPrivilege	4328	sms48FF.tmp
Token: SeLoadDriverPrivilege	4328	sms48FF.tmp
Token: SeSystemProfilePrivilege	4328	sms48FF.tmp
Token: SeSystemtimePrivilege	4328	sms48FF.tmp
Token: SeProfSingleProcessPrivilege	4328	sms48FF.tmp
Token: SeIncBasePriorityPrivilege	4328	sms48FF.tmp
Token: SeCreatePagefilePrivilege	4328	sms48FF.tmp
Token: SeBackupPrivilege	4328	sms48FF.tmp
Token: SeRestorePrivilege	4328	sms48FF.tmp
Token: SeShutdownPrivilege	4328	sms48FF.tmp
Token: SeDebugPrivilege	4328	sms48FF.tmp
Token: SeSystemEnvironmentPrivilege	4328	sms48FF.tmp
Token: SeChangeNotifyPrivilege	4328	sms48FF.tmp
Token: SeRemoteShutdownPrivilege	4328	sms48FF.tmp
Token: SeUndockPrivilege	4328	sms48FF.tmp
Token: SeManageVolumePrivilege	4328	sms48FF.tmp
Token: SeImpersonatePrivilege	4328	sms48FF.tmp
Token: SeCreateGlobalPrivilege	4328	sms48FF.tmp
Token: 33	4328	sms48FF.tmp
Token: 34	4328	sms48FF.tmp
Token: 35	4328	sms48FF.tmp
Token: 36	4328	sms48FF.tmp
Token: SeIncreaseQuotaPrivilege	4124	rar.exe
Token: SeSecurityPrivilege	4124	rar.exe
Token: SeTakeOwnershipPrivilege	4124	rar.exe
Token: SeLoadDriverPrivilege	4124	rar.exe
Token: SeSystemProfilePrivilege	4124	rar.exe
Token: SeSystemtimePrivilege	4124	rar.exe
Token: SeProfSingleProcessPrivilege	4124	rar.exe
Token: SeIncBasePriorityPrivilege	4124	rar.exe
Token: SeCreatePagefilePrivilege	4124	rar.exe
Token: SeBackupPrivilege	4124	rar.exe
Token: SeRestorePrivilege	4124	rar.exe
Token: SeShutdownPrivilege	4124	rar.exe
Token: SeDebugPrivilege	4124	rar.exe
Token: SeSystemEnvironmentPrivilege	4124	rar.exe
Token: SeChangeNotifyPrivilege	4124	rar.exe
Token: SeRemoteShutdownPrivilege	4124	rar.exe
Token: SeUndockPrivilege	4124	rar.exe
Token: SeManageVolumePrivilege	4124	rar.exe
Token: SeImpersonatePrivilege	4124	rar.exe
Token: SeCreateGlobalPrivilege	4124	rar.exe
Token: 33	4124	rar.exe
Token: 34	4124	rar.exe
Token: 35	4124	rar.exe
Token: 36	4124	rar.exe
Token: SeDebugPrivilege	3124	sms4B70.tmp
Token: SeDebugPrivilege	4772	PRINTSERV.EXE
Token: SeDebugPrivilege	4320	audiodrvs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rar.exe

pid process

4124 rar.exe

pid	process
4124	rar.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

093bc49ab25cc6a20d95155db80f1fa8.exesms48FF.tmpCHROMEL.EXEPRINTSERV.EXEPRINTSERV.EXEsms4B70.tmpcmd.exe

description	pid	process	target process
PID 3708 wrote to memory of 4328	3708	093bc49ab25cc6a20d95155db80f1fa8.exe	sms48FF.tmp
PID 3708 wrote to memory of 4328	3708	093bc49ab25cc6a20d95155db80f1fa8.exe	sms48FF.tmp
PID 3708 wrote to memory of 4328	3708	093bc49ab25cc6a20d95155db80f1fa8.exe	sms48FF.tmp
PID 4328 wrote to memory of 2928	4328	sms48FF.tmp	CHROMEL.EXE
PID 4328 wrote to memory of 2928	4328	sms48FF.tmp	CHROMEL.EXE
PID 4328 wrote to memory of 220	4328	sms48FF.tmp	PRINTSERV.EXE
PID 4328 wrote to memory of 220	4328	sms48FF.tmp	PRINTSERV.EXE
PID 4328 wrote to memory of 220	4328	sms48FF.tmp	PRINTSERV.EXE
PID 2928 wrote to memory of 3124	2928	CHROMEL.EXE	sms4B70.tmp
PID 2928 wrote to memory of 3124	2928	CHROMEL.EXE	sms4B70.tmp
PID 4328 wrote to memory of 2636	4328	sms48FF.tmp	notepad.exe
PID 4328 wrote to memory of 2636	4328	sms48FF.tmp	notepad.exe
PID 4328 wrote to memory of 2636	4328	sms48FF.tmp	notepad.exe
PID 4328 wrote to memory of 2636	4328	sms48FF.tmp	notepad.exe
PID 4328 wrote to memory of 2636	4328	sms48FF.tmp	notepad.exe
PID 4328 wrote to memory of 2636	4328	sms48FF.tmp	notepad.exe
PID 4328 wrote to memory of 2636	4328	sms48FF.tmp	notepad.exe
PID 4328 wrote to memory of 2636	4328	sms48FF.tmp	notepad.exe
PID 4328 wrote to memory of 2636	4328	sms48FF.tmp	notepad.exe
PID 4328 wrote to memory of 2636	4328	sms48FF.tmp	notepad.exe
PID 4328 wrote to memory of 2636	4328	sms48FF.tmp	notepad.exe
PID 4328 wrote to memory of 2636	4328	sms48FF.tmp	notepad.exe
PID 4328 wrote to memory of 2636	4328	sms48FF.tmp	notepad.exe
PID 4328 wrote to memory of 2636	4328	sms48FF.tmp	notepad.exe
PID 4328 wrote to memory of 2636	4328	sms48FF.tmp	notepad.exe
PID 4328 wrote to memory of 2636	4328	sms48FF.tmp	notepad.exe
PID 4328 wrote to memory of 2636	4328	sms48FF.tmp	notepad.exe
PID 220 wrote to memory of 4772	220	PRINTSERV.EXE	PRINTSERV.EXE
PID 220 wrote to memory of 4772	220	PRINTSERV.EXE	PRINTSERV.EXE
PID 220 wrote to memory of 4772	220	PRINTSERV.EXE	PRINTSERV.EXE
PID 4328 wrote to memory of 4124	4328	sms48FF.tmp	rar.exe
PID 4328 wrote to memory of 4124	4328	sms48FF.tmp	rar.exe
PID 4328 wrote to memory of 4124	4328	sms48FF.tmp	rar.exe
PID 4772 wrote to memory of 3856	4772	PRINTSERV.EXE	schtasks.exe
PID 4772 wrote to memory of 3856	4772	PRINTSERV.EXE	schtasks.exe
PID 4772 wrote to memory of 3856	4772	PRINTSERV.EXE	schtasks.exe
PID 3124 wrote to memory of 3008	3124	sms4B70.tmp	schtasks.exe
PID 3124 wrote to memory of 3008	3124	sms4B70.tmp	schtasks.exe
PID 3124 wrote to memory of 3004	3124	sms4B70.tmp	cmd.exe
PID 3124 wrote to memory of 3004	3124	sms4B70.tmp	cmd.exe
PID 3004 wrote to memory of 984	3004	cmd.exe	timeout.exe
PID 3004 wrote to memory of 984	3004	cmd.exe	timeout.exe
PID 3004 wrote to memory of 4320	3004	cmd.exe	audiodrvs.exe
PID 3004 wrote to memory of 4320	3004	cmd.exe	audiodrvs.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\093bc49ab25cc6a20d95155db80f1fa8.exe
"C:\Users\Admin\AppData\Local\Temp\093bc49ab25cc6a20d95155db80f1fa8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3708
- C:\Users\Admin\AppData\Local\Temp\sms48FF.tmp
  "C:\Users\Admin\AppData\Local\Temp\sms48FF.tmp"
  2⤵
  - Modifies WinLogon for persistence
  - Drops file in Drivers directory
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4328
- - C:\Users\Admin\AppData\Local\Temp\CHROMEL.EXE
    "C:\Users\Admin\AppData\Local\Temp\CHROMEL.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Users\Admin\AppData\Local\Temp\sms4B70.tmp
      "C:\Users\Admin\AppData\Local\Temp\sms4B70.tmp"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3124
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'audiodrvs"' /tr "'C:\Users\Admin\AppData\Roaming\audiodrvs.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:3008
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8B96.tmp.bat""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3004
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:984
      - C:\Users\Admin\AppData\Roaming\audiodrvs.exe
        
        "C:\Users\Admin\AppData\Roaming\audiodrvs.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4320
- - C:\Users\Admin\AppData\Local\Temp\PRINTSERV.EXE
    "C:\Users\Admin\AppData\Local\Temp\PRINTSERV.EXE"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:220
  - - C:\Users\Admin\AppData\Local\Temp\XenoManager\PRINTSERV.EXE
      "C:\Users\Admin\AppData\Local\Temp\XenoManager\PRINTSERV.EXE"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4772
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /Create /TN "logons" /XML "C:\Users\Admin\AppData\Local\Temp\tmp612B.tmp" /F
        5⤵
        Creates scheduled task(s)
        
        PID:3856
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    PID:2636
- - C:\Users\Admin\Documents\rar.exe
    "C:\Users\Admin\Documents\rar.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PRINTSERV.EXE.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\CHROMEL.EXE

Filesize
184KB

MD5
f6062ddb9cc2fad6e403b8b9dbe02df7

SHA1
efebcabb3902cdcc7b789786d96db2a93156b81a

SHA256
61309415bb524bba3d6065cf5df5ce2031ddde239c7f7864d0d2eaf31597a96c

SHA512
3d2473fd09d5d0a4a0f463ed84522165254880a6f94491b5c9a21fbbd39df4579980184fd838f75b3ad6457065c818c536447ae18c97eac29146cd8be5883040

Download Submit
C:\Users\Admin\AppData\Local\Temp\PRINTSERV.EXE

Filesize
408KB

MD5
b8eaef2339ba6bfac3648df30d041a95

SHA1
0833419f0da847383c0031611c69a87baa8f2d6d

SHA256
6ce2b4a0e176126f0899223eace35c31b544e46a2067b0ecf0adf8d06f87309d

SHA512
c265a39039c9dd8237fb10c26066ff7247babc727a556919f7673311dee1d38c3a52a2cf83e54f148401b984495b4e5636b8254388376e96f0a4e9a40cba6613

Download Submit
C:\Users\Admin\AppData\Local\Temp\sms48FF.tmp

Filesize
595KB

MD5
89feeb6ec82c704b1771bfa2536bd401

SHA1
2ae958b6e74986696e412e313b5f0aee3756ba19

SHA256
9765068707da158f492b48d5628b3b6cc93dc34dd402d57c0b4ced60701e0b9a

SHA512
9ef8c9c1c9795cf4451dd577c2292171c7dccb9aa24447dff72de9e886e604638b32f637ba8e19cfc86c377fed7a97c56336a62f7edd6130d4a8b928f5bf0484

Download Submit
C:\Users\Admin\AppData\Local\Temp\sms4B70.tmp

Filesize
46KB

MD5
194de251c043183099b2d6f7f5d1e09f

SHA1
dc477dfc0e090e8d7bd31fb808f59060dd2cf360

SHA256
12bee16f9692cb9a6d3713543cf998a4f953d0341f4e9c661748faef525d91e6

SHA512
6a1433b9bc070f18f60c3f115a1173e8979d211f6e97daf3fc7fe13f05ab15123874919418fc014fdd8af62c82426cb091b867b36a49fe7fc8fe929709b3a433

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp612B.tmp

Filesize
1KB

MD5
db5e3f14b64ed69affa1389010cd445e

SHA1
752719617c787dbb741cfd4e8a608dd2f578d4c9

SHA256
eaeea05441cdf6ec90fd034de26b0108920f2d625f308497ebe7c05be8b69cc4

SHA512
8ee07a3e1684fb72852ad954b985db0d5a3931be5037a1fa8cb62677401d52042d80a80f27e1692edfef1d9f15b1d0cb8b8633b0414727cd775b04c4bb5e7fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8B96.tmp.bat

Filesize
153B

MD5
270cd75762c89e7a1e797bb00077b2fb

SHA1
f938ba5aada410d5e8d4ef5c2d59728867ec4e51

SHA256
b81b2380a0ab0a42ebf97f3abc764dd3e9a61af0525375f80243fe7876c03659

SHA512
8ce446636643964317059c47f5236b23392ceca724401c5d053e80fc697d0b36a2edd4fdd2ce035e707c4e1450ef6a7ed795722a21179a4b4d35dfa115862054

Download Submit
C:\Users\Admin\AppData\Roaming\audiodrvs.exe

Filesize
45.1MB

MD5
1162e38b0df9acf1cada113dc587f2de

SHA1
e32b7bdcb177468fe492f34673b0b9e6e6df5ebc

SHA256
c2fe20d38baf0ceda154bba444aefecfa436b16162195d0aa68a67df89456f7b

SHA512
c496ecd07e5369bc9f041174f6dad099d650a1a14d70f506e6ab00c11e8fc04b18c330d737ef86b00172392fe7701babb967ee54f63066e0b01418436139df98

Download Submit
memory/220-38-0x00000000002B0000-0x000000000031E000-memory.dmp

Filesize
440KB

Download
memory/220-36-0x0000000072EEE000-0x0000000072EEF000-memory.dmp

Filesize
4KB

Download
memory/220-44-0x0000000002610000-0x0000000002616000-memory.dmp

Filesize
24KB

Download
memory/2636-45-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/2928-125-0x0000000000400000-0x00000000004E05B0-memory.dmp

Filesize
897KB

Download
memory/2928-32-0x0000000000400000-0x00000000004E05B0-memory.dmp

Filesize
897KB

Download
memory/3124-43-0x00000000004E0000-0x00000000004F2000-memory.dmp

Filesize
72KB

Download
memory/3708-0-0x0000000000400000-0x00000000007956B4-memory.dmp

Filesize
3.6MB

Download
memory/3708-3-0x0000000000400000-0x00000000007956B4-memory.dmp

Filesize
3.6MB

Download
memory/3708-2-0x0000000000400000-0x00000000007956B4-memory.dmp

Filesize
3.6MB

Download
memory/3708-5-0x0000000000400000-0x00000000007956B4-memory.dmp

Filesize
3.6MB

Download
memory/3708-4-0x0000000000400000-0x00000000007956B4-memory.dmp

Filesize
3.6MB

Download
memory/3708-1-0x00000000006BB000-0x00000000006BC000-memory.dmp

Filesize
4KB

Download
memory/3708-120-0x0000000000400000-0x00000000007956B4-memory.dmp

Filesize
3.6MB

Download
memory/3708-6-0x0000000000400000-0x00000000007956B4-memory.dmp

Filesize
3.6MB

Download
memory/4124-126-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/4124-136-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/4124-139-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/4328-11-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/4328-118-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/4328-12-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/4772-124-0x0000000005AB0000-0x0000000005B16000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads