Analysis
-
max time kernel
436s -
max time network
435s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
-
submitted
23-07-2024 22:32
General
-
Target
https://drive.usercontent.google.com/u/0/uc?id=1Mjh9mHfA5x0H2pdzGNsS9s7iaLG1FeY9&export=download
Malware Config
Extracted
asyncrat
Xchallenger | 3Losh
SSSV2xfPymSGyZKXNnD
anothonesevenfivesecsned.ddns.net:6666
AsyncMutex_TmizKoi8nsHRdZoA
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 2 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 33 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.usercontent.google.com/u/0/uc?id=1Mjh9mHfA5x0H2pdzGNsS9s7iaLG1FeY9&export=download1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc50fcab58,0x7ffc50fcab68,0x7ffc50fcab782⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1836 --field-trial-handle=1920,i,7242020863266050509,13302640036089499281,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2000 --field-trial-handle=1920,i,7242020863266050509,13302640036089499281,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2244 --field-trial-handle=1920,i,7242020863266050509,13302640036089499281,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1920,i,7242020863266050509,13302640036089499281,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1920,i,7242020863266050509,13302640036089499281,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 --field-trial-handle=1920,i,7242020863266050509,13302640036089499281,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4808 --field-trial-handle=1920,i,7242020863266050509,13302640036089499281,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 --field-trial-handle=1920,i,7242020863266050509,13302640036089499281,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1276 --field-trial-handle=1920,i,7242020863266050509,13302640036089499281,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 --field-trial-handle=1920,i,7242020863266050509,13302640036089499281,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\SummaryForm_GhDmNtjoYiaANB\SummaryForm_GhDmNtjoYiaANB.wsf"1⤵
- Blocklisted process makes network request
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "[xml]$eksdmocc = Get-Content 'C:\Users\Public\TTTTTTTTTTTTTTTTTTTTTTTyeq.xml'; $oommmmmmmmmmmmvv = $eksdmocc.command.a.execute; Invoke-Expression $oommmmmmmmmmmmvv"2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\cSEnDAyONsEVEnFaaVVteX.vbs"3⤵
- Checks computer location settings
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" session4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\FaLlROcItYwAhHEsABAkHAmsa.bat" "4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\FrsTSenDAyAtESwahdsabKHmsa.ps1'"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
C:\Windows\System32\Notepad.exe"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Downloads\SummaryForm_GhDmNtjoYiaANB\SummaryForm_GhDmNtjoYiaANB.wsf1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Public\NblAUTBGBZOLszJj.vbs"1⤵
- Checks computer location settings
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" session2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\SawRAeeekHlKtOSHkaA.bat" "2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\FFrsSTSNdaYaAOneSEvENFiVVEE.ps1'"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51e52bf37587ef5af33a0a24abc55e23c
SHA10590d1a57e8d11b534cb66320356a53f3bd9ebe0
SHA256f4da8763fa878d80dbe2bb5ccf20ade54634ae068a7bdb965541dbe1851311cf
SHA512c4dd522869ead0b6d0dce9f0dd8dc81cf1d8779b4492dfb5272d7264bac98d32344e01133e86d9894d8da68e0cd24d6ce221132c9ffbc8f1ca6e380aca576b4a
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
7KB
MD594aadc96d5eeeff2aa33625ff7620290
SHA10dbbdadcb074f0da2d9656b2797f837f0930ed44
SHA2565b9a0a9382ed4b32406eeadba1bd6b54ac132537cc64d033dfc4752cb8ca0ca2
SHA512aa2693bc028e5ff0e5bc80a6076fabd554131cf3827db05f9941b8f146000270ac163639127c3cadb882d61fdbf20e664d37c0ab348b50657a453726f455405b
-
Filesize
7KB
MD5a63122dedaaf8f43b2bd020874c9a7cd
SHA1d6d832164cc71afa6ff65cad1ce6dcc1738c20f8
SHA256137039cfddc811ebc5f145594a02f3ac081e4ed159a36a1e7ab71b6f7f120f90
SHA512967e2f7b4e5d535740d432e9a248c7054a7ab8f6cfbe6d8a2d422f7b8e2330c447873abe1d015ba4ff9dd3ee507dcce9f3476c40b171993ad74f36ae99523f4f
-
Filesize
144KB
MD510f657f84712dbc03f5292cf4ca40924
SHA168ae67b51f8ccfab73c6f5c34a83bccc685bb8f8
SHA256a6007e0c3c02835ef3e17e0edf078806be31eb5adb911a09e3a71cc74e567485
SHA5124536f124fac8a6263f1540d92631b6fe36a8d5a087777cd219c6285aeb686e8437bb5f32a83e862c6e856086646815af05ef85fd7900512edd8f5a57f76f1d8e
-
Filesize
97KB
MD54dc2dec5df5dcc130910af1b921f6046
SHA1671dd7923e9c54fcb1cc46c61a1bc1061aafaa54
SHA256809ff40afc0bf7d38f42506949c9cdb8de4d1b54d89642558c39558f3e77a947
SHA5122b0f8b9838fdc8dbd5494e45735cbba4a2103e93a752489f737ab7465d553ef9e9ac56a4987b7872c3abe5fe7ad41ed5b809f8aeda3433b73244f53527db3ebc
-
Filesize
93KB
MD5c37c340b936425140b9dc48dafd698aa
SHA1724fff63a1ddac2535da53704ddcc8e9a1db990c
SHA2560723b1d93824b0ddb91fc3ba8ddb5638d356ee004ad45a23defbb1719ebff1dc
SHA512e7fa6097dbe209111d188b7db062f2963f7ba5269de593b9ac891ba2537924ec6e4ef168f2ab3d69279e90b8477dfb8e44f0c73a06c37221aa264531aaeb6b0a
-
Filesize
3KB
MD5dd6085af47993de750fc1bba39e02d75
SHA1c83d868735b3170ae109cacc1163ba647ab3e5b2
SHA256847924eed8197b381f6dfe87f2f1ad3d6a4ea542e5afe291e3e5144419ba28b4
SHA5129d50ba6331a1c5b1ae6b38bdee8e8bf871d63c3245b78b40d6287b9730e862bd731f99e1956ddf28db819592b35b005824b078535de2a0003523ebd8ab62c59d
-
Filesize
2KB
MD523dd627dc0e7f8645e27a33485cc35c9
SHA10512665c062556ccfb76fecc66078d6da7d0c9d2
SHA25603d40281c2822c079b50ef50e2686606fb3fac45d71ac789df672bc0617e64b9
SHA512b7f8a794e6b18634d841aa9a91bde7ac491086a06e3df481f83c7136331737f11401d83fcc716acd80d1806d8e8ae5b7e48ac12bdda890a4f121c48f31dfe0f3
-
Filesize
1KB
MD5e29f7d1ca4310154a629f67c718ba4d6
SHA1217e13ead594ace04b27b643847e2b473bed8834
SHA256c00e6b2452129b6d298da758cef99b55368adfe0c86e7b09597099ba228e4081
SHA512243447b7a56d6e09e7c03257f083f1adcb0ef57f1fc2fe9aa5b9bad81b4139ea125ff7281f22cd82fb71d7530e115391345e40da5034d9d05b24cc6e19514a53
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
817KB
MD575b7b9825838c6e9e876b4ae7b3c0be1
SHA1f2710a505b4e48aa03666d13830f9a60897873cc
SHA2565a91cb461a794bcfb2de68caa9a73955f7d20fc1b6d70c2bf0a25baaa429a323
SHA5125fbe8852302d89f4d0eacd1514eb95c2497f3afcffebb934b92f03723ddaebf8922fe15cab8a6fd1c21276ebf2703887ffca5772fcc1b7817244b8091518a3eb
-
Filesize
1KB
MD558c5b5819af04af60456881213f824a2
SHA1e90f3b009a47e40770ec5e2305a329c43a9feb1d
SHA256e64d865bcf73844ba14b72cdedefd7c238aa4f21f0801d2d71be7163aa5b7b37
SHA512ea43ce76567db92140f938de70328e029d152e49ca353ff2a5cacedbe52ee5c1f6fc3ffd1910bfb8a25017165930a55f16d1bd3e9b2fc3e7d968764282ba771e
-
Filesize
543B
MD5fd7b598b4cade48ffdabf5632ceda50d
SHA1369f45572c285afdeb008bd7f9c74f9d2bc1c70b
SHA2569108b47d51f2f6f1e3cbe70fda0df87d9c0d7fbb63959c8d87b01c50073dd7d4
SHA51228373695ca3f098fa9157405db7abc7c7436be41950798f772aef415f7f2420ca2b274dd0e304f969a43b0affd13d20c707200a4141edde3b9f0bd8a75874a8c
-
Filesize
1KB
MD5fee4eeed37850f5536f862f5c75671dc
SHA15c92c63c9cd0f92f4c8378d954af7dc6cbb975a6
SHA256a56b446da4e2e60d5739ba599bc8822dd9509c816a4ef19296a87eb9a0853927
SHA512dafc331b6846a787f78b02e189fda70e770f21b3faec0cdc67d1b4b2080009fa532e5d914fa39aa29bdfb96de059b3f15f3c82e2765bb254df1afb6f7ecceefe
-
Filesize
1KB
MD56dc43053bd4465111748e8da509ea02a
SHA1a6688eeb8e3590418a5a08f1e14e6905f175d56b
SHA256e4b28c82d4eb06e3778c9f5b0b0c8a9fb143ed7e9f52c8a600ce0392e244c6e9
SHA512c307d9008adffe7224e562d33648e902f5a57671799e598bca02000765c4a518da4a69a6159d53e0cf0c9a649a0b3cbaf50658c2239bf901348f5542895bfce7
-
Filesize
411B
MD50ef5023921232e85d7d4b35849a5dace
SHA11cb63ef03edd596e2d5ef5c2e4de0e5005c9eab7
SHA2567a806d6e806bdcf6ad1bbedb6283e93e724f5b2438d877a084ef2aeb73ff85d1
SHA5127e1b973fcba55e00d9b669e88c54c76cdad7b02101a533d1ef6db1be08488866f32050657afc8d227d89d1997f0a8c40c451bcb42c8764255c755aacae5c5875
-
Filesize
1KB
MD54a3c4f9782e07ff45814cff9d96099c8
SHA1a3e89f7d2c5b6e986c87a5099fc458e0b6462cf1
SHA25607f398ff74f2ea365309f435d745262b73dd409966640b21631cc5cc8c12103f
SHA512fc62d28dfe2e479f885fd86c6e7d69fc878c5752e5d27336001d31d59aca21179b1f41a24d2711b84f89fcdfad9d216d123217555769fb7b8e58c7cd17fdcf6c
-
Filesize
88KB
-
Filesize
408KB
-
Filesize
40KB
-
Filesize
120KB
-
Filesize
472KB
-
Filesize
432KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
624KB
-
Filesize
112KB
-
Filesize
40KB
-
Filesize
152KB
-
Filesize
80KB
-
Filesize
72KB
-
Filesize
136KB