Overview

overview

10

Static

static

1

MartDrum.exe

windows7-x64

10

MartDrum.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 07:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MartDrum.exe

  • Size

    904KB

  • MD5

    1e4352c43b8c5a6b5a10dd0ace9a57a4

  • SHA1

    6d4f220bdfee34df0b3b9d8a829dd423fab5abdf

  • SHA256

    9410861cbe8204310017cdec72056d49f8effbe26961cc6cb73fee37c731e0a0

  • SHA512

    ac96916f4c42acbf8be07d814dbc15e04c50e3874888ebdb3d762f74fcac58e4e100da68a34d78da12403ee09f3bf59c681bf3fa258de8e39e1038b5fc42e7a9

  • SSDEEP

    12288:Fy3S2m4omcLCRdCPiofcsdS3c2qRWi2kx6RAaiPjMoxIlDhI4HPlRoQ9RT9tQ6DP:FyhM1LAdCKo0s6xrkxJxjDIldBHdRvfb

Score
10/10
asyncratload_manratspywarestealer

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Load_Man

C2

leetman.dynuddns.com:1337

Mutex

AsyncMutex_6SI8asdasd2casOkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1392
      • C:\Users\Admin\AppData\Local\Temp\MartDrum.exe
        "C:\Users\Admin\AppData\Local\Temp\MartDrum.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:612
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k cmd < Tunisia & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2860
          • C:\Windows\SysWOW64\cmd.exe
            cmd
            4⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2880
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              5⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:1036
            • C:\Windows\SysWOW64\findstr.exe
              findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
              5⤵
                PID:2516
              • C:\Windows\SysWOW64\tasklist.exe
                tasklist
                5⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:2508
              • C:\Windows\SysWOW64\findstr.exe
                findstr /I "wrsa.exe"
                5⤵
                  PID:1892
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c mkdir 20715
                  5⤵
                    PID:2412
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c copy /b Cock + Enhance + Forest + Grocery + Mall 20715\Fighting.pif
                    5⤵
                      PID:2624
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c copy /b Amd + Backed 20715\Q
                      5⤵
                        PID:2400
                      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\20715\Fighting.pif
                        20715\Fighting.pif 20715\Q
                        5⤵
                        • Suspicious use of NtCreateUserProcessOtherParentProcess
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        • Suspicious use of WriteProcessMemory
                        PID:2640
                      • C:\Windows\SysWOW64\PING.EXE
                        ping -n 5 localhost
                        5⤵
                        • Runs ping.exe
                        PID:1736
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PoseidonSense.url" & echo URL="C:\Users\Admin\AppData\Local\GreenTech Innovations\PoseidonSense.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PoseidonSense.url" & exit
                  2⤵
                  • Drops startup file
                  PID:2388
                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\20715\jsc.exe
                  C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\20715\jsc.exe
                  2⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:1912

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\20715\Q
                Filesize

                523KB

                MD5

                c6d3af61f6a8b9e9cc3c0997243cbc8d

                SHA1

                e99aa1b98ab1baeeb82365fd6f76e99d0417f67b

                SHA256

                4e6c63fe5b8faa26ddc90f7183bac516ff42d7148d7ba8cdcfd816b37ea340e2

                SHA512

                08f9b3b6925c7da20bdd870d6c3de1ac4df680f43b8bf19e4a03d5a240b435d396918ea206a54668952a41fc25466606f18ab2972f4c4ca17083b13680933138

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Amd
                Filesize

                461KB

                MD5

                3bfbfcf6dde8162276981a6c818526fc

                SHA1

                2359fc484c7ff2e40d2b0e5a58abafc39a2f534f

                SHA256

                48a39ed8fcac7eea85635bff545ea72b9bb741a33affc3cfdc1d9513ad466d9b

                SHA512

                68962d58896c6971a1c6411121a1c9723b511096828576c7b3333d4eec7d248bb11585964811219f436e599c52d4c13fa992e2fc369c82f1eb7c8f628a0e0adf

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Backed
                Filesize

                62KB

                MD5

                bc332c8625f154764139eebc5543d265

                SHA1

                2114287c7d17b25b6cb18250dca0ad1d3be1badf

                SHA256

                4052bb73dc0b19224a815c89ba44728868ff3d7ccd4ba888c5a3deeeea1ba75c

                SHA512

                367f4ad92cd1aee6d76aed2d1cb670c3a059bc826eae30632f8db5754ce32677248d705bb3cd61dfb1db56c781b73bf0f7728c345d808c9a839a7360fabc64d6

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cock
                Filesize

                245KB

                MD5

                3250d6f3cef2fa42d8144d7300c94a9a

                SHA1

                fb41f4b16da0c326d4f994fd69a95148740db16c

                SHA256

                4b4fa7e6aa4e413577040eed27ab1b8295e0f019ca4007dedf5d131bacb8c86a

                SHA512

                b19361ae089fe0fff1e0f6ef995ed9fdb76c08df329ee95cf6845a61362027e18378bf4951a67e55c7da13a3f184d3b613a91ac0d7f613163523a4ea1da63c21

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Enhance
                Filesize

                129KB

                MD5

                2eaf3dde860d1fa5cb576a067d88e0c9

                SHA1

                f731f073975e880445e63ab7130b9d6b35e030e4

                SHA256

                9d0a82b1d0302bd357ada65073f63b79bcffacfd687941fb66b879e51dbc7e6f

                SHA512

                cc230393bc0b8256b5132882eaa53c8e749b74b5bcf4aec2f3cb6c6f417433da24ac54744d825dff14993cd0ccc17c4d76e128b3e76597809e11aaebfb795df0

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Forest
                Filesize

                215KB

                MD5

                cbd44c7f5d1ffca6b785ac5610c584a2

                SHA1

                0d3c42631251b1256c61f2b499ff2dcee141955a

                SHA256

                b691b133ac132727cc615e39d09e7db00e179ffcfe4b7939de169042ce3b8a5c

                SHA512

                246d9d66564d10e80958d1a6796e4d8ee28549f9d8b0a161ee929d7b9d3a740a0befcd81efc8d20092ff2fb802c50e9581a7e290988550931a5341c1a1545c67

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Grocery
                Filesize

                154KB

                MD5

                7a10d8c21d509285032ccc39be8ca70a

                SHA1

                c94f9e1239f669a720f05712a536d443dcfb87d6

                SHA256

                7a4f7c61b90f5e0c6467eef51446cbccaf8e410117f4ec2dad6b400cdc3be9ee

                SHA512

                eda1f6a3b085801c3f55a622612bb1a9260477c435fa68ab8c9e6b77316dabac2a17d574422990282ac699eac9275b92d5051fee902fefe243ff22e8a0e42c55

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mall
                Filesize

                181KB

                MD5

                cc937c80427292e3f084280877637c6c

                SHA1

                e5e958447df0e571f194848d9c570ea9568f9665

                SHA256

                64402cf5b891e266e8736340b70202796110ff53a0bc63034434b8feef1c3eb4

                SHA512

                8b70a42aaa091f0ce1694052504e53f8db4d02a7290c251b33373dfab4a8fa334e05226755ec7bd96594f9ace60e3625e8481a2dc34c9e410b11b55958691a93

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Tunisia
                Filesize

                12KB

                MD5

                89d7b6fab91c718d1eb98295746b0e0e

                SHA1

                12933edc9d0d0812f7eb6240468a5ba03d92ceb4

                SHA256

                f593d273036a2db89a963774319942d27d7de6718033988297b5220e4566037b

                SHA512

                41d036fa81ebf2680c24bc240e40b62a5008b1a5daaac714e3bd86bc4784e54719c4cbd0377aa984e08db0fbab8e1db84b86b7f257df3b50d505645f42b70046

                Download Submit

              • \Users\Admin\AppData\Local\Temp\7ZipSfx.000\20715\Fighting.pif
                Filesize

                924KB

                MD5

                848164d084384c49937f99d5b894253e

                SHA1

                3055ef803eeec4f175ebf120f94125717ee12444

                SHA256

                f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

                SHA512

                aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

                Download Submit

              • \Users\Admin\AppData\Local\Temp\7ZipSfx.000\20715\jsc.exe
                Filesize

                45KB

                MD5

                f1feead2143c07ca411d82a29fa964af

                SHA1

                2198e7bf402773757bb2a25311ffd2644e5a1645

                SHA256

                8f2800ac8af72e8038e146b3988a30651952f20ed6cdf7be3ae4709fbb026af1

                SHA512

                e7e2266ec862a793da7cea01c926b7a874453cf2efb0b4b77776c26042dc2ded74f17c390fad97bd2d8c0c4971a1b9d9e6c705a13edbc9e48570922e5e6cc9df

                Download Submit

              • memory/1912-39-0x00000000000D0000-0x00000000000E6000-memory.dmp

                Filesize

                88KB

                Download

              • memory/1912-41-0x00000000000D0000-0x00000000000E6000-memory.dmp

                Filesize

                88KB

                Download

              • memory/1912-42-0x00000000000D0000-0x00000000000E6000-memory.dmp

                Filesize

                88KB

                Download