asyncrat | 0824eac1ce23de2321bce82efce874ab3c213d15f1a120d8ec08c85c7fbc250b

General

Target

093bc49ab25cc6a20d95155db80f1fa8.exe
Size

753KB
MD5

093bc49ab25cc6a20d95155db80f1fa8
SHA1

b1ed1ffa34d4e909e30e8a3a299a22d5101380e1
SHA256

0824eac1ce23de2321bce82efce874ab3c213d15f1a120d8ec08c85c7fbc250b
SHA512

bec9a628e91f16cd4bdfcda85f30a447ab2e817acdfcee307187cb2d5aaff32eb3fa3b659f810aca40290f97ff59122873d60e3fe9988d2195da0b6cb0870722
SSDEEP

12288:mUvKFtlyYqn58iP23JOcXYkrCQNkfCVvd487NYe3VqiYT6K3ifW+Janl:glyY058i0OuIQNkfCb4IV2iW+Janl

Score

10^/10

asyncrat darkcomet 2024+may3333-newcrt persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

2024+May3333-newcrt

C2

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-M4P4YFY

Attributes

InstallPath
rar.exe
gencode
jSEma97mAgP2
install
true
offline_keylogger
true
password
hhhhhh
persistence
true
reg_key
winrar

Extracted

Family

asyncrat

Version

0.5.6A

C2

dgorijan20785.hopto.org:6606

dgorijan20785.hopto.org:7707

dgorijan20785.hopto.org:8808

Mutex

v5tvc4rc3ex778899

Attributes

delay
5
install
true
install_file
audiodrvs.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

sms4A76.tmp

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\rar.exe"	sms4A76.tmp

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\sms4CA9.tmp	family_asyncrat

Drops file in Drivers directory 1 IoCs

Processes:

sms4A76.tmp

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts sms4A76.tmp

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	sms4A76.tmp

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sms4A76.tmpPRINTSERV.EXEsms4CA9.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	sms4A76.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	PRINTSERV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	sms4CA9.tmp

Executes dropped EXE 7 IoCs

Processes:

sms4A76.tmpCHROMEL.EXEPRINTSERV.EXEsms4CA9.tmpPRINTSERV.EXErar.exeaudiodrvs.exe

pid process

2540 sms4A76.tmp
3900 CHROMEL.EXE
4984 PRINTSERV.EXE
3616 sms4CA9.tmp
4032 PRINTSERV.EXE
2396 rar.exe
3224 audiodrvs.exe

pid	process
2540	sms4A76.tmp
3900	CHROMEL.EXE
4984	PRINTSERV.EXE
3616	sms4CA9.tmp
4032	PRINTSERV.EXE
2396	rar.exe
3224	audiodrvs.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\sms4A76.tmp	upx
behavioral2/memory/2540-11-0x0000000000400000-0x000000000055B000-memory.dmp	upx
behavioral2/memory/2540-12-0x0000000000400000-0x000000000055B000-memory.dmp	upx
behavioral2/memory/2396-118-0x0000000000400000-0x000000000055B000-memory.dmp	upx
behavioral2/memory/2540-120-0x0000000000400000-0x000000000055B000-memory.dmp	upx
behavioral2/memory/2396-127-0x0000000000400000-0x000000000055B000-memory.dmp	upx
behavioral2/memory/2396-138-0x0000000000400000-0x000000000055B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

sms4A76.tmprar.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winrar = "C:\\Users\\Admin\\Documents\\rar.exe"	sms4A76.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winrar = "C:\\Users\\Admin\\Documents\\rar.exe"	rar.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

972 schtasks.exe
4308 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3920 timeout.exe
Modifies registry class 1 IoCs

Processes:

sms4A76.tmp

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ sms4A76.tmp

pid	process
972	schtasks.exe
4308	schtasks.exe

pid	process
3920	timeout.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sms4A76.tmp

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sms4CA9.tmpPRINTSERV.EXEaudiodrvs.exe

pid	process
3616	sms4CA9.tmp
3616	sms4CA9.tmp
3616	sms4CA9.tmp
3616	sms4CA9.tmp
3616	sms4CA9.tmp
3616	sms4CA9.tmp
3616	sms4CA9.tmp
3616	sms4CA9.tmp
3616	sms4CA9.tmp
3616	sms4CA9.tmp
3616	sms4CA9.tmp
3616	sms4CA9.tmp
3616	sms4CA9.tmp
3616	sms4CA9.tmp
3616	sms4CA9.tmp
3616	sms4CA9.tmp
3616	sms4CA9.tmp
3616	sms4CA9.tmp
3616	sms4CA9.tmp
3616	sms4CA9.tmp
3616	sms4CA9.tmp
4032	PRINTSERV.EXE
4032	PRINTSERV.EXE
4032	PRINTSERV.EXE
4032	PRINTSERV.EXE
4032	PRINTSERV.EXE
4032	PRINTSERV.EXE
4032	PRINTSERV.EXE
4032	PRINTSERV.EXE
4032	PRINTSERV.EXE
3224	audiodrvs.exe
4032	PRINTSERV.EXE
4032	PRINTSERV.EXE
4032	PRINTSERV.EXE
4032	PRINTSERV.EXE
4032	PRINTSERV.EXE
4032	PRINTSERV.EXE
4032	PRINTSERV.EXE
4032	PRINTSERV.EXE
4032	PRINTSERV.EXE
4032	PRINTSERV.EXE
4032	PRINTSERV.EXE
4032	PRINTSERV.EXE
4032	PRINTSERV.EXE
4032	PRINTSERV.EXE
4032	PRINTSERV.EXE
4032	PRINTSERV.EXE
4032	PRINTSERV.EXE
4032	PRINTSERV.EXE
4032	PRINTSERV.EXE
4032	PRINTSERV.EXE
4032	PRINTSERV.EXE
4032	PRINTSERV.EXE
4032	PRINTSERV.EXE
4032	PRINTSERV.EXE
4032	PRINTSERV.EXE
4032	PRINTSERV.EXE
4032	PRINTSERV.EXE
4032	PRINTSERV.EXE
4032	PRINTSERV.EXE
4032	PRINTSERV.EXE
4032	PRINTSERV.EXE
4032	PRINTSERV.EXE
4032	PRINTSERV.EXE

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

sms4A76.tmprar.exesms4CA9.tmpPRINTSERV.EXEaudiodrvs.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2540	sms4A76.tmp
Token: SeSecurityPrivilege	2540	sms4A76.tmp
Token: SeTakeOwnershipPrivilege	2540	sms4A76.tmp
Token: SeLoadDriverPrivilege	2540	sms4A76.tmp
Token: SeSystemProfilePrivilege	2540	sms4A76.tmp
Token: SeSystemtimePrivilege	2540	sms4A76.tmp
Token: SeProfSingleProcessPrivilege	2540	sms4A76.tmp
Token: SeIncBasePriorityPrivilege	2540	sms4A76.tmp
Token: SeCreatePagefilePrivilege	2540	sms4A76.tmp
Token: SeBackupPrivilege	2540	sms4A76.tmp
Token: SeRestorePrivilege	2540	sms4A76.tmp
Token: SeShutdownPrivilege	2540	sms4A76.tmp
Token: SeDebugPrivilege	2540	sms4A76.tmp
Token: SeSystemEnvironmentPrivilege	2540	sms4A76.tmp
Token: SeChangeNotifyPrivilege	2540	sms4A76.tmp
Token: SeRemoteShutdownPrivilege	2540	sms4A76.tmp
Token: SeUndockPrivilege	2540	sms4A76.tmp
Token: SeManageVolumePrivilege	2540	sms4A76.tmp
Token: SeImpersonatePrivilege	2540	sms4A76.tmp
Token: SeCreateGlobalPrivilege	2540	sms4A76.tmp
Token: 33	2540	sms4A76.tmp
Token: 34	2540	sms4A76.tmp
Token: 35	2540	sms4A76.tmp
Token: 36	2540	sms4A76.tmp
Token: SeIncreaseQuotaPrivilege	2396	rar.exe
Token: SeSecurityPrivilege	2396	rar.exe
Token: SeTakeOwnershipPrivilege	2396	rar.exe
Token: SeLoadDriverPrivilege	2396	rar.exe
Token: SeSystemProfilePrivilege	2396	rar.exe
Token: SeSystemtimePrivilege	2396	rar.exe
Token: SeProfSingleProcessPrivilege	2396	rar.exe
Token: SeIncBasePriorityPrivilege	2396	rar.exe
Token: SeCreatePagefilePrivilege	2396	rar.exe
Token: SeBackupPrivilege	2396	rar.exe
Token: SeRestorePrivilege	2396	rar.exe
Token: SeShutdownPrivilege	2396	rar.exe
Token: SeDebugPrivilege	2396	rar.exe
Token: SeSystemEnvironmentPrivilege	2396	rar.exe
Token: SeChangeNotifyPrivilege	2396	rar.exe
Token: SeRemoteShutdownPrivilege	2396	rar.exe
Token: SeUndockPrivilege	2396	rar.exe
Token: SeManageVolumePrivilege	2396	rar.exe
Token: SeImpersonatePrivilege	2396	rar.exe
Token: SeCreateGlobalPrivilege	2396	rar.exe
Token: 33	2396	rar.exe
Token: 34	2396	rar.exe
Token: 35	2396	rar.exe
Token: 36	2396	rar.exe
Token: SeDebugPrivilege	3616	sms4CA9.tmp
Token: SeDebugPrivilege	4032	PRINTSERV.EXE
Token: SeDebugPrivilege	3224	audiodrvs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rar.exe

pid process

2396 rar.exe

pid	process
2396	rar.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

093bc49ab25cc6a20d95155db80f1fa8.exesms4A76.tmpCHROMEL.EXEPRINTSERV.EXEPRINTSERV.EXEsms4CA9.tmpcmd.exe

description	pid	process	target process
PID 2552 wrote to memory of 2540	2552	093bc49ab25cc6a20d95155db80f1fa8.exe	sms4A76.tmp
PID 2552 wrote to memory of 2540	2552	093bc49ab25cc6a20d95155db80f1fa8.exe	sms4A76.tmp
PID 2552 wrote to memory of 2540	2552	093bc49ab25cc6a20d95155db80f1fa8.exe	sms4A76.tmp
PID 2540 wrote to memory of 3900	2540	sms4A76.tmp	CHROMEL.EXE
PID 2540 wrote to memory of 3900	2540	sms4A76.tmp	CHROMEL.EXE
PID 2540 wrote to memory of 4984	2540	sms4A76.tmp	PRINTSERV.EXE
PID 2540 wrote to memory of 4984	2540	sms4A76.tmp	PRINTSERV.EXE
PID 2540 wrote to memory of 4984	2540	sms4A76.tmp	PRINTSERV.EXE
PID 3900 wrote to memory of 3616	3900	CHROMEL.EXE	sms4CA9.tmp
PID 3900 wrote to memory of 3616	3900	CHROMEL.EXE	sms4CA9.tmp
PID 2540 wrote to memory of 1960	2540	sms4A76.tmp	notepad.exe
PID 2540 wrote to memory of 1960	2540	sms4A76.tmp	notepad.exe
PID 2540 wrote to memory of 1960	2540	sms4A76.tmp	notepad.exe
PID 2540 wrote to memory of 1960	2540	sms4A76.tmp	notepad.exe
PID 2540 wrote to memory of 1960	2540	sms4A76.tmp	notepad.exe
PID 2540 wrote to memory of 1960	2540	sms4A76.tmp	notepad.exe
PID 2540 wrote to memory of 1960	2540	sms4A76.tmp	notepad.exe
PID 2540 wrote to memory of 1960	2540	sms4A76.tmp	notepad.exe
PID 2540 wrote to memory of 1960	2540	sms4A76.tmp	notepad.exe
PID 2540 wrote to memory of 1960	2540	sms4A76.tmp	notepad.exe
PID 2540 wrote to memory of 1960	2540	sms4A76.tmp	notepad.exe
PID 2540 wrote to memory of 1960	2540	sms4A76.tmp	notepad.exe
PID 2540 wrote to memory of 1960	2540	sms4A76.tmp	notepad.exe
PID 2540 wrote to memory of 1960	2540	sms4A76.tmp	notepad.exe
PID 2540 wrote to memory of 1960	2540	sms4A76.tmp	notepad.exe
PID 2540 wrote to memory of 1960	2540	sms4A76.tmp	notepad.exe
PID 2540 wrote to memory of 1960	2540	sms4A76.tmp	notepad.exe
PID 4984 wrote to memory of 4032	4984	PRINTSERV.EXE	PRINTSERV.EXE
PID 4984 wrote to memory of 4032	4984	PRINTSERV.EXE	PRINTSERV.EXE
PID 4984 wrote to memory of 4032	4984	PRINTSERV.EXE	PRINTSERV.EXE
PID 2540 wrote to memory of 2396	2540	sms4A76.tmp	rar.exe
PID 2540 wrote to memory of 2396	2540	sms4A76.tmp	rar.exe
PID 2540 wrote to memory of 2396	2540	sms4A76.tmp	rar.exe
PID 4032 wrote to memory of 972	4032	PRINTSERV.EXE	schtasks.exe
PID 4032 wrote to memory of 972	4032	PRINTSERV.EXE	schtasks.exe
PID 4032 wrote to memory of 972	4032	PRINTSERV.EXE	schtasks.exe
PID 3616 wrote to memory of 4308	3616	sms4CA9.tmp	schtasks.exe
PID 3616 wrote to memory of 4308	3616	sms4CA9.tmp	schtasks.exe
PID 3616 wrote to memory of 3876	3616	sms4CA9.tmp	cmd.exe
PID 3616 wrote to memory of 3876	3616	sms4CA9.tmp	cmd.exe
PID 3876 wrote to memory of 3920	3876	cmd.exe	timeout.exe
PID 3876 wrote to memory of 3920	3876	cmd.exe	timeout.exe
PID 3876 wrote to memory of 3224	3876	cmd.exe	audiodrvs.exe
PID 3876 wrote to memory of 3224	3876	cmd.exe	audiodrvs.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\093bc49ab25cc6a20d95155db80f1fa8.exe
"C:\Users\Admin\AppData\Local\Temp\093bc49ab25cc6a20d95155db80f1fa8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2552

C:\Users\Admin\AppData\Local\Temp\sms4A76.tmp
"C:\Users\Admin\AppData\Local\Temp\sms4A76.tmp"
2⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540

C:\Users\Admin\AppData\Local\Temp\CHROMEL.EXE
"C:\Users\Admin\AppData\Local\Temp\CHROMEL.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900

C:\Users\Admin\AppData\Local\Temp\sms4CA9.tmp
"C:\Users\Admin\AppData\Local\Temp\sms4CA9.tmp"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3616

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'audiodrvs"' /tr "'C:\Users\Admin\AppData\Roaming\audiodrvs.exe"'
5⤵
- Creates scheduled task(s)
PID:4308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8D1D.tmp.bat""
5⤵
- Suspicious use of WriteProcessMemory
PID:3876

C:\Windows\system32\timeout.exe
timeout 3
6⤵
- Delays execution with timeout.exe
PID:3920

C:\Users\Admin\AppData\Roaming\audiodrvs.exe
"C:\Users\Admin\AppData\Roaming\audiodrvs.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3224

C:\Users\Admin\AppData\Local\Temp\PRINTSERV.EXE
"C:\Users\Admin\AppData\Local\Temp\PRINTSERV.EXE"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984

C:\Users\Admin\AppData\Local\Temp\XenoManager\PRINTSERV.EXE
"C:\Users\Admin\AppData\Local\Temp\XenoManager\PRINTSERV.EXE"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4032

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "logons" /XML "C:\Users\Admin\AppData\Local\Temp\tmp632E.tmp" /F
5⤵
- Creates scheduled task(s)
PID:972

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:1960

C:\Users\Admin\Documents\rar.exe
"C:\Users\Admin\Documents\rar.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2396

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CHROMEL.EXE
Filesize
184KB

MD5
f6062ddb9cc2fad6e403b8b9dbe02df7

SHA1
efebcabb3902cdcc7b789786d96db2a93156b81a

SHA256
61309415bb524bba3d6065cf5df5ce2031ddde239c7f7864d0d2eaf31597a96c

SHA512
3d2473fd09d5d0a4a0f463ed84522165254880a6f94491b5c9a21fbbd39df4579980184fd838f75b3ad6457065c818c536447ae18c97eac29146cd8be5883040

Download Submit
C:\Users\Admin\AppData\Local\Temp\PRINTSERV.EXE
Filesize
408KB

MD5
b8eaef2339ba6bfac3648df30d041a95

SHA1
0833419f0da847383c0031611c69a87baa8f2d6d

SHA256
6ce2b4a0e176126f0899223eace35c31b544e46a2067b0ecf0adf8d06f87309d

SHA512
c265a39039c9dd8237fb10c26066ff7247babc727a556919f7673311dee1d38c3a52a2cf83e54f148401b984495b4e5636b8254388376e96f0a4e9a40cba6613

Download Submit
C:\Users\Admin\AppData\Local\Temp\sms4A76.tmp
Filesize
595KB

MD5
89feeb6ec82c704b1771bfa2536bd401

SHA1
2ae958b6e74986696e412e313b5f0aee3756ba19

SHA256
9765068707da158f492b48d5628b3b6cc93dc34dd402d57c0b4ced60701e0b9a

SHA512
9ef8c9c1c9795cf4451dd577c2292171c7dccb9aa24447dff72de9e886e604638b32f637ba8e19cfc86c377fed7a97c56336a62f7edd6130d4a8b928f5bf0484

Download Submit
C:\Users\Admin\AppData\Local\Temp\sms4CA9.tmp
Filesize
46KB

MD5
194de251c043183099b2d6f7f5d1e09f

SHA1
dc477dfc0e090e8d7bd31fb808f59060dd2cf360

SHA256
12bee16f9692cb9a6d3713543cf998a4f953d0341f4e9c661748faef525d91e6

SHA512
6a1433b9bc070f18f60c3f115a1173e8979d211f6e97daf3fc7fe13f05ab15123874919418fc014fdd8af62c82426cb091b867b36a49fe7fc8fe929709b3a433

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp632E.tmp
Filesize
1KB

MD5
db5e3f14b64ed69affa1389010cd445e

SHA1
752719617c787dbb741cfd4e8a608dd2f578d4c9

SHA256
eaeea05441cdf6ec90fd034de26b0108920f2d625f308497ebe7c05be8b69cc4

SHA512
8ee07a3e1684fb72852ad954b985db0d5a3931be5037a1fa8cb62677401d52042d80a80f27e1692edfef1d9f15b1d0cb8b8633b0414727cd775b04c4bb5e7fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8D1D.tmp.bat
Filesize
153B

MD5
67640f512bf55cf106cf8e9511abf377

SHA1
b505cd813fc41274d136c8c484299b6210d5e80f

SHA256
1cbcc039fac7430a8a71d34cc947b55e705b9ad9d8bbd92eb08853cbd89f54f2

SHA512
1ddfa88732eceb0bea149620484c26a49f798b43cc99d16f42e8c1c94a112a8265afd46d784a5a8fc958fcd27cc1bb8b6e6296d6c6a1f6852f75619e0b61af1c

Download Submit
C:\Users\Admin\AppData\Roaming\audiodrvs.exe
Filesize
47.8MB

MD5
f30619813f9297e6b0dc77f317de54d0

SHA1
8301398ab0baffef99288a47579c3a1d12a93bd3

SHA256
c73234e9f0bd027ff96f73f77fd4e72a6aa06d02536e0de2fd8650f6f07989ad

SHA512
02f8ac74965802f96945f331735a872aa5402e5a0ad77ac4e3adf9685e39b9722f0d8556634362c046ba097f48f4a2e884019a0d419fc8428665b8769abec857

Download Submit
memory/1960-47-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/2396-118-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2396-138-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2396-127-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2540-120-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2540-11-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2540-12-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2552-3-0x0000000000400000-0x00000000007956B4-memory.dmp

Filesize
3.6MB

Download
memory/2552-122-0x0000000000400000-0x00000000007956B4-memory.dmp

Filesize
3.6MB

Download
memory/2552-6-0x0000000000400000-0x00000000007956B4-memory.dmp

Filesize
3.6MB

Download
memory/2552-1-0x00000000006BB000-0x00000000006BC000-memory.dmp

Filesize
4KB

Download
memory/2552-2-0x0000000000400000-0x00000000007956B4-memory.dmp

Filesize
3.6MB

Download
memory/2552-4-0x0000000000400000-0x00000000007956B4-memory.dmp

Filesize
3.6MB

Download
memory/2552-5-0x0000000000400000-0x00000000007956B4-memory.dmp

Filesize
3.6MB

Download
memory/2552-0-0x0000000000400000-0x00000000007956B4-memory.dmp

Filesize
3.6MB

Download
memory/3616-43-0x0000000000E20000-0x0000000000E32000-memory.dmp

Filesize
72KB

Download
memory/3900-126-0x0000000000400000-0x00000000004E05B0-memory.dmp

Filesize
897KB

Download
memory/3900-35-0x0000000000400000-0x00000000004E05B0-memory.dmp

Filesize
897KB

Download
memory/4032-134-0x0000000006700000-0x0000000006766000-memory.dmp

Filesize
408KB

Download
memory/4984-37-0x0000000000D80000-0x0000000000DEE000-memory.dmp

Filesize
440KB

Download
memory/4984-107-0x0000000072C00000-0x00000000733B0000-memory.dmp

Filesize
7.7MB

Download
memory/4984-36-0x0000000072C0E000-0x0000000072C0F000-memory.dmp

Filesize
4KB

Download
memory/4984-46-0x0000000072C00000-0x00000000733B0000-memory.dmp

Filesize
7.7MB

Download
memory/4984-44-0x00000000056E0000-0x00000000056E6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads