Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
25-05-2024 13:51
General
-
Target
MartDrum.exe
-
Size
904KB
-
MD5
1e4352c43b8c5a6b5a10dd0ace9a57a4
-
SHA1
6d4f220bdfee34df0b3b9d8a829dd423fab5abdf
-
SHA256
9410861cbe8204310017cdec72056d49f8effbe26961cc6cb73fee37c731e0a0
-
SHA512
ac96916f4c42acbf8be07d814dbc15e04c50e3874888ebdb3d762f74fcac58e4e100da68a34d78da12403ee09f3bf59c681bf3fa258de8e39e1038b5fc42e7a9
-
SSDEEP
12288:Fy3S2m4omcLCRdCPiofcsdS3c2qRWi2kx6RAaiPjMoxIlDhI4HPlRoQ9RT9tQ6DP:FyhM1LAdCKo0s6xrkxJxjDIldBHdRvfb
Malware Config
Extracted
asyncrat
| Edit 3LOSH RAT
Load_Man
leetman.dynuddns.com:1337
AsyncMutex_6SI8asdasd2casOkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 41 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\MartDrum.exe"C:\Users\Admin\AppData\Local\Temp\MartDrum.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k cmd < Tunisia & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"5⤵
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe"5⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c mkdir 223935⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Cock + Enhance + Forest + Grocery + Mall 22393\Fighting.pif5⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Amd + Backed 22393\Q5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22393\Fighting.pif22393\Fighting.pif 22393\Q5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 localhost5⤵
- Runs ping.exe
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PoseidonSense.url" & echo URL="C:\Users\Admin\AppData\Local\GreenTech Innovations\PoseidonSense.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PoseidonSense.url" & exit2⤵
- Drops startup file
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22393\jsc.exeC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22393\jsc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
924KB
MD5848164d084384c49937f99d5b894253e
SHA13055ef803eeec4f175ebf120f94125717ee12444
SHA256f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a
-
Filesize
523KB
MD5c6d3af61f6a8b9e9cc3c0997243cbc8d
SHA1e99aa1b98ab1baeeb82365fd6f76e99d0417f67b
SHA2564e6c63fe5b8faa26ddc90f7183bac516ff42d7148d7ba8cdcfd816b37ea340e2
SHA51208f9b3b6925c7da20bdd870d6c3de1ac4df680f43b8bf19e4a03d5a240b435d396918ea206a54668952a41fc25466606f18ab2972f4c4ca17083b13680933138
-
Filesize
46KB
MD594c8e57a80dfca2482dedb87b93d4fd9
SHA15729e6c7d2f5ab760f0093b9d44f8ac0f876a803
SHA25639e87f0edcdd15582cfefdfab1975aadd2c7ca1e3a5f07b1146ce3206f401bb5
SHA5121798a3607b2b94732b52de51d2748c86f9453343b6d8a417e98e65ddb38e9198cdcb2f45bf60823cb429b312466b28c5103c7588f2c4ef69fa27bfdb4f4c67dc
-
Filesize
461KB
MD53bfbfcf6dde8162276981a6c818526fc
SHA12359fc484c7ff2e40d2b0e5a58abafc39a2f534f
SHA25648a39ed8fcac7eea85635bff545ea72b9bb741a33affc3cfdc1d9513ad466d9b
SHA51268962d58896c6971a1c6411121a1c9723b511096828576c7b3333d4eec7d248bb11585964811219f436e599c52d4c13fa992e2fc369c82f1eb7c8f628a0e0adf
-
Filesize
62KB
MD5bc332c8625f154764139eebc5543d265
SHA12114287c7d17b25b6cb18250dca0ad1d3be1badf
SHA2564052bb73dc0b19224a815c89ba44728868ff3d7ccd4ba888c5a3deeeea1ba75c
SHA512367f4ad92cd1aee6d76aed2d1cb670c3a059bc826eae30632f8db5754ce32677248d705bb3cd61dfb1db56c781b73bf0f7728c345d808c9a839a7360fabc64d6
-
Filesize
245KB
MD53250d6f3cef2fa42d8144d7300c94a9a
SHA1fb41f4b16da0c326d4f994fd69a95148740db16c
SHA2564b4fa7e6aa4e413577040eed27ab1b8295e0f019ca4007dedf5d131bacb8c86a
SHA512b19361ae089fe0fff1e0f6ef995ed9fdb76c08df329ee95cf6845a61362027e18378bf4951a67e55c7da13a3f184d3b613a91ac0d7f613163523a4ea1da63c21
-
Filesize
129KB
MD52eaf3dde860d1fa5cb576a067d88e0c9
SHA1f731f073975e880445e63ab7130b9d6b35e030e4
SHA2569d0a82b1d0302bd357ada65073f63b79bcffacfd687941fb66b879e51dbc7e6f
SHA512cc230393bc0b8256b5132882eaa53c8e749b74b5bcf4aec2f3cb6c6f417433da24ac54744d825dff14993cd0ccc17c4d76e128b3e76597809e11aaebfb795df0
-
Filesize
215KB
MD5cbd44c7f5d1ffca6b785ac5610c584a2
SHA10d3c42631251b1256c61f2b499ff2dcee141955a
SHA256b691b133ac132727cc615e39d09e7db00e179ffcfe4b7939de169042ce3b8a5c
SHA512246d9d66564d10e80958d1a6796e4d8ee28549f9d8b0a161ee929d7b9d3a740a0befcd81efc8d20092ff2fb802c50e9581a7e290988550931a5341c1a1545c67
-
Filesize
154KB
MD57a10d8c21d509285032ccc39be8ca70a
SHA1c94f9e1239f669a720f05712a536d443dcfb87d6
SHA2567a4f7c61b90f5e0c6467eef51446cbccaf8e410117f4ec2dad6b400cdc3be9ee
SHA512eda1f6a3b085801c3f55a622612bb1a9260477c435fa68ab8c9e6b77316dabac2a17d574422990282ac699eac9275b92d5051fee902fefe243ff22e8a0e42c55
-
Filesize
181KB
MD5cc937c80427292e3f084280877637c6c
SHA1e5e958447df0e571f194848d9c570ea9568f9665
SHA25664402cf5b891e266e8736340b70202796110ff53a0bc63034434b8feef1c3eb4
SHA5128b70a42aaa091f0ce1694052504e53f8db4d02a7290c251b33373dfab4a8fa334e05226755ec7bd96594f9ace60e3625e8481a2dc34c9e410b11b55958691a93
-
Filesize
12KB
MD589d7b6fab91c718d1eb98295746b0e0e
SHA112933edc9d0d0812f7eb6240468a5ba03d92ceb4
SHA256f593d273036a2db89a963774319942d27d7de6718033988297b5220e4566037b
SHA51241d036fa81ebf2680c24bc240e40b62a5008b1a5daaac714e3bd86bc4784e54719c4cbd0377aa984e08db0fbab8e1db84b86b7f257df3b50d505645f42b70046
-
Filesize
88KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
624KB
-
Filesize
408KB