Overview

overview

10

Static

static

1

123.txt

windows10-2004-x64

10

Resubmissions

26-07-2024 17:04

240726-vledlavbra 1

26-07-2024 16:47

240726-vang5azfpm 10

Analysis

  • max time kernel
    745s
  • max time network
    594s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-07-2024 16:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    123.txt

  • Size

    117B

  • MD5

    2198f281bfcd0a9d26ccd2b0f0a2d32d

  • SHA1

    3efc22ca20f2e529dabf605c3d0d594301c1fb3f

  • SHA256

    39084a637e0eb5a27054223fe6d94a02524816d822becfa24500503c0be67dec

  • SHA512

    7f24ffa94bda68245dde8778d06116c2d3ee298ca7cc3245155875c71685c103d9d97719785070fc642404ec8f97a8fab35c352920a69ee635b69cdae7086583

Score
10/10
asyncratdiscoveryrat

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 17 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 52 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\NOTEPAD.EXE
    C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\123.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:2316
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4904
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Release.rar"
      1⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1004
    • C:\Users\Admin\Desktop\Release\Server.exe
      "C:\Users\Admin\Desktop\Release\Server.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2932
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
      1⤵
      • System Location Discovery: System Language Discovery
      PID:5096
    • C:\Users\Admin\Desktop\Client.exe
      "C:\Users\Admin\Desktop\Client.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4900
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "MircosftEdge" /tr "C:\Users\Admin\yes\Client.exe" /RL HIGHEST & exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4904
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo 5 /tn "MircosftEdge" /tr "C:\Users\Admin\yes\Client.exe" /RL HIGHEST
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1128
    • C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Desktop\ConvertToUnpublish.pptx" /ou ""
      1⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4172
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:896
      • C:\Users\Admin\Desktop\Client.exe
        "C:\Users\Admin\Desktop\Client.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4888
      • C:\Users\Admin\Desktop\Client.exe
        "C:\Users\Admin\Desktop\Client.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1508
      • C:\Users\Admin\Desktop\Client.exe
        "C:\Users\Admin\Desktop\Client.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3336

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\GMap.NET\DllCache\SQLite_v98_NET4_x86\System.Data.SQLite.DLL
        Filesize

        1.3MB

        MD5

        14393eb908e072fa3164597414bb0a75

        SHA1

        5e04e084ec44a0b29196d0c21213201240f11ba0

        SHA256

        59b9d95ae42e35525fc63f93168fe304409463ee070a3cf21a427a2833564b80

        SHA512

        f5fc3d9e98cca1fbbbe026707086a71f801016348d2355541d630879ad51a850f49eb4a5f7a94e12a844d7a7108d69fa6d762ee19f4805d6aafef16259b4330b

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log
        Filesize

        871B

        MD5

        386677f585908a33791517dfc2317f88

        SHA1

        2e6853b4560a9ac8a74cdd5c3124a777bc0d874e

        SHA256

        7caf8779608c167ab6fa570df00c973aff6dee850bb63439770889a68c7cdae0

        SHA512

        876d2269e25a4b2754bdf2c7e3c410050f885d7e6bd8abce41c5fc74ae1f8c549b2266dd1588c750f614063f36c8a8e5008cea610505897d04e4ef5c3adc52d9

        Download Submit

      • C:\Users\Admin\AppData\Local\Server\Server.exe_Url_r3nmysqdzfnw3fl2evty3qtf5hsihv1t\1.0.0.0\0thxqdcj.newcfg
        Filesize

        560B

        MD5

        463d2a6611fbb9f0657b8c8c9783f6e0

        SHA1

        9fbda301bda3be3c9c2362b08cf4046857e2612d

        SHA256

        31d89529523e9b788ceec89cb43f1d2d26b44829e720324facf0906251135046

        SHA512

        c2b30090064b389eed8f79429765dc881c74c83352c7bb6e81585b81e9df6010cc89150766e94bf5091279a54b50301a529af70ec2626e2da2a842040424b169

        Download Submit

      • C:\Users\Admin\AppData\Local\Server\Server.exe_Url_r3nmysqdzfnw3fl2evty3qtf5hsihv1t\1.0.0.0\1ixjgvvw.newcfg
        Filesize

        677B

        MD5

        96671b08e5a097f8a72f9322210beda3

        SHA1

        0f738fb76ba712c66320630691f8a0cbdb23a948

        SHA256

        2d8162c07c60fb56de2e7d4cd2dbb40c239f3278759891e3df926f5e2dfd1d0c

        SHA512

        ce6e772a12256a71ee7124c54ea737c0e0ba6a1285dead8e79b32c0b464b22ebacf297a44c3cd7717dc0968d2007108498f1d579fa6cfae65ce29b1f3bb7d2ab

        Download Submit

      • C:\Users\Admin\AppData\Local\Server\Server.exe_Url_r3nmysqdzfnw3fl2evty3qtf5hsihv1t\1.0.0.0\user.config
        Filesize

        311B

        MD5

        a35bc67d130a4fb76c2c2831cbdddd55

        SHA1

        66502423bba03870522e50608212b6ee27ebf4c5

        SHA256

        e94a97e512fbc8ed9f5691d921fdeddbff4cc16b024c5335adf66bff3a7a8192

        SHA512

        4401b234d7914afa860e356be1667cc5f44402255f7cc6cc3d8df80883167f6b55463e62156df57be697ee501897fac61a71f97911c6fdb6630272341ac8a07e

        Download Submit

      • C:\Users\Admin\AppData\Local\Server\Server.exe_Url_r3nmysqdzfnw3fl2evty3qtf5hsihv1t\1.0.0.0\user.config
        Filesize

        434B

        MD5

        cfcf8e91857f364e002065c52ff8f91c

        SHA1

        8407ecb3c33a1f3fcf18a723e6884acf7e5a0f4a

        SHA256

        572dda8c7f211dc6a4efc7aecb4a54cb4e0ced1e4c9a4b9f96bb329c983c64e6

        SHA512

        364fecac3a051441b4fefcebb2cc9e38632f99dd04593cd5d9b148986afb09b195e88cdbfa2e778b8934564b76d04fe053f919f0a60769b023f2f753ede06d1e

        Download Submit

      • C:\Users\Admin\Desktop\Client.exe
        Filesize

        543KB

        MD5

        a5fe9609882b3c292212887d05159479

        SHA1

        bae0394a912e6cc879fd749d3e911ea9ce386714

        SHA256

        dd83f93cb64c7835035c646608e234c87ca3ce479193cf35d8a0613da14d1937

        SHA512

        52e2cbd9a3bbbe74f707b7eabb1be9fb47a068739f38b705d0e87c186ec1e74afbe7c4c68b473a17b9dc4d41d9bffa5c4192ff8bdf3731af60d8daa9320e6f7e

        Download Submit

      • C:\Users\Admin\Desktop\Release\ConfigBulid.json
        Filesize

        1KB

        MD5

        b989e2d62df5d81e6a2299f97d93d770

        SHA1

        6751ed86d964602fb7d40ccdcd3030e276153d50

        SHA256

        a9206951ac956142382f26fb0150f167c86d321b1a6e24fffdfe65b4245dba12

        SHA512

        5cb2758b55e19824d6b81a6b8ab421df315da740e644153267c6d384dcf77ec5e0347aea9acf07fd3fb6702f81191878e3d4bb65c268afe4dca27825d7f9a085

        Download Submit

      • C:\Users\Admin\Desktop\Release\GMap.NET.Core.dll
        Filesize

        2.9MB

        MD5

        819352ea9e832d24fc4cebb2757a462b

        SHA1

        aba7e1b29bdcd0c5a307087b55c2ec0c7ca81f11

        SHA256

        58c755fcfc65cddea561023d736e8991f0ad69da5e1378dea59e98c5db901b86

        SHA512

        6a5b0e1553616ea29ec72c12072ae05bdd709468a173e8adbdfe391b072c001ecacb3dd879845f8d599c6152eca2530cdaa2c069b1f94294f778158eaaebe45a

        Download Submit

      • C:\Users\Admin\Desktop\Release\GMap.NET.WindowsForms.dll
        Filesize

        147KB

        MD5

        32a8742009ffdfd68b46fe8fd4794386

        SHA1

        de18190d77ae094b03d357abfa4a465058cd54e3

        SHA256

        741e1a8f05863856a25d101bd35bf97cba0b637f0c04ecb432c1d85a78ef1365

        SHA512

        22418d5e887a6022abe8a7cbb0b6917a7478d468d211eecd03a95b8fb6452fc59db5178573e25d5d449968ead26bb0b2bfbfada7043c9a7a1796baca5235a82b

        Download Submit

      • C:\Users\Admin\Desktop\Release\Maps.json
        Filesize

        2B

        MD5

        d751713988987e9331980363e24189ce

        SHA1

        97d170e1550eee4afc0af065b78cda302a97674c

        SHA256

        4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

        SHA512

        b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

        Download Submit

      • C:\Users\Admin\Desktop\Release\MetroFramework.Fonts.dll
        Filesize

        656KB

        MD5

        65ef4b23060128743cef937a43b82aa3

        SHA1

        cc72536b84384ec8479b9734b947dce885ef5d31

        SHA256

        c843869aaca5135c2d47296985f35c71ca8af4431288d04d481c4e46cc93ee26

        SHA512

        d06690f9aac0c6500aed387f692b3305dfc0708b08fc2f27eaa44b108908ccd8267b07f8fb8608eef5c803039caeabf8f88a18b7e5b1d850f32bbb72bcd3b0b7

        Download Submit

      • C:\Users\Admin\Desktop\Release\MetroFramework.dll
        Filesize

        345KB

        MD5

        34ea7f7d66563f724318e322ff08f4db

        SHA1

        d0aa8038a92eb43def2fffbbf4114b02636117c5

        SHA256

        c2c12d31b4844e29de31594fc9632a372a553631de0a0a04c8af91668e37cf49

        SHA512

        dceb1f9435b9479f6aea9b0644ba8c46338a7f458c313822a9d9b3266d79af395b9b2797ed3217c7048db8b22955ec6fe8b0b1778077fa1de587123ad9e6b148

        Download Submit

      • C:\Users\Admin\Desktop\Release\Newtonsoft.Json.dll
        Filesize

        695KB

        MD5

        195ffb7167db3219b217c4fd439eedd6

        SHA1

        1e76e6099570ede620b76ed47cf8d03a936d49f8

        SHA256

        e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

        SHA512

        56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

        Download Submit

      • C:\Users\Admin\Desktop\Release\Plugins\MinerXmr.dll
        Filesize

        20KB

        MD5

        cdd34cad0a91c9d4cadc61a0100e5321

        SHA1

        b09247b19433e8dda89025c10e6ce8caedda0b54

        SHA256

        1f95b7d21d33291d3cd6196276d8145ed0f3067125c480447432eaeaa32d45ec

        SHA512

        c3faa2a252e693c1343662c04cc121af2bc0fa90154060680f75436f794599fdc1ed300f4781b57728fd60e4ffb9c88ae2b346deef98ea44fa50d812ea729f4d

        Download Submit

      • C:\Users\Admin\Desktop\Release\Server.exe
        Filesize

        1.0MB

        MD5

        97fdf675692906714405d7e9bd6a9c61

        SHA1

        f388a87852ca61122f2563b9919625d33c7efe78

        SHA256

        dd3c72966f70692309714ec42461021fef21c26ad33b1b43e3232186b632a44b

        SHA512

        06f371bbec435746a876bb8127979c46fb1a21949c7f2b1f0e7edd4895382c5018113d52cf86485fa8d269f5c4b597c2739519db11b78bb7574638272ebf925c

        Download Submit

      • C:\Users\Admin\Desktop\Release\Server.exe.config
        Filesize

        7KB

        MD5

        2083876ec03ad06e5c16490fcb4ab8b6

        SHA1

        b8f50f08abd53225c046912471dfd271a98cf15a

        SHA256

        28026de2c65972cb8fac1ff2865c33e24d1086f7242b2fe951cef172909ad128

        SHA512

        b16f1fbe8e10b66079d83a46818423fb2e2e8619cbdc1427ce0cd27f06092af52bcc003755e939320cf84f8cc5a26c92e43041013fe3ef60c7d73d8624ee6096

        Download Submit

      • C:\Users\Admin\Desktop\Release\Stub\Client.exe
        Filesize

        46KB

        MD5

        1d38a7499142bad0522edfeb876116ac

        SHA1

        06376d5be754a1f04a688928af1db622f56b36f9

        SHA256

        176e444e759bc6d6030e1a1fa4ff99f69ffdb2602fb2c2b18e8ed7bc14f2079b

        SHA512

        c1a5ae6d0fdae81b8a52aebfa2695b00c4c8f56b3876f7a69e13d040801cdd824fecbb690f0f34772875f86326477ca8a3fca3e533253a786c0cd03986068eb2

        Download Submit

      • C:\Users\Admin\Desktop\Release\Themes.json
        Filesize

        33B

        MD5

        fdf6d963491b41d9ba798f60fe27ef8c

        SHA1

        4908bfc78d191f60ab583fe093bc579fd5ff06a3

        SHA256

        bfe1437218dd94ccd078a8683f59b65e28d8d63defa7f419b2cef81bc031a7bf

        SHA512

        96e5981739a3328387aaf80b6b6a071dc7a2135d5bdaa99b638527b9cd82eb514d21d27a26445a01082a4ba8811ac130a671690e51cf780fd66acdd3a12a3c25

        Download Submit

      • C:\Users\Admin\Desktop\Release\cGeoIp.dll
        Filesize

        2.3MB

        MD5

        6d6e172e7965d1250a4a6f8a0513aa9f

        SHA1

        b0fd4f64e837f48682874251c93258ee2cbcad2b

        SHA256

        d1ddd15e9c727a5ecf78d3918c17aee0512f5b181ad44952686beb89146e6bd0

        SHA512

        35daa38ad009599145aa241102bcd1f69b4caa55ebc5bb11df0a06567056c0ec5fcd02a33576c54c670755a6384e0229fd2f96622f12304dec58f79e1e834155

        Download Submit

      • C:\Users\Admin\Desktop\Release\dnlib.dll
        Filesize

        1.1MB

        MD5

        508ccde8bc7003696f32af7054ca3d97

        SHA1

        1f6a0303c5ae5dc95853ec92fd8b979683c3f356

        SHA256

        4758c7c39522e17bf93b3993ada4a1f7dd42bb63331bac0dcd729885e1ba062a

        SHA512

        92a59a2e1f6bf0ce512d21cf4148fe027b3a98ed6da46925169a4d0d9835a7a4b1374ba0be84e576d9a8d4e45cb9c2336e1f5bd1ea53e39f0d8553db264e746d

        Download Submit

      • memory/2932-282-0x0000000009B90000-0x0000000009BCC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/2932-228-0x00000000082A0000-0x000000000834A000-memory.dmp

        Filesize

        680KB

        Download

      • memory/2932-243-0x0000000009480000-0x00000000095CB000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2932-238-0x0000000009430000-0x0000000009452000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2932-283-0x0000000009A20000-0x0000000009A41000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2932-237-0x0000000009C10000-0x0000000009F64000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2932-296-0x000000000D320000-0x000000000D3D2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/2932-236-0x00000000096B0000-0x0000000009992000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2932-232-0x0000000009390000-0x00000000093BC000-memory.dmp

        Filesize

        176KB

        Download

      • memory/2932-255-0x00000000095D0000-0x000000000961C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2932-224-0x00000000055A0000-0x00000000055AA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2932-223-0x0000000006090000-0x00000000062E2000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/2932-329-0x0000000000F90000-0x00000000010B2000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2932-219-0x0000000005BF0000-0x0000000005C82000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2932-218-0x0000000005150000-0x00000000051AC000-memory.dmp

        Filesize

        368KB

        Download

      • memory/2932-213-0x0000000000690000-0x00000000007A0000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2932-214-0x0000000005640000-0x0000000005BE4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2932-464-0x000000000F240000-0x000000000F2DC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/4172-343-0x00007FF906B80000-0x00007FF906B90000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4172-338-0x00007FF9091D0000-0x00007FF9091E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4172-339-0x00007FF9091D0000-0x00007FF9091E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4172-342-0x00007FF906B80000-0x00007FF906B90000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4172-341-0x00007FF9091D0000-0x00007FF9091E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4172-340-0x00007FF9091D0000-0x00007FF9091E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4172-484-0x00007FF9091D0000-0x00007FF9091E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4172-483-0x00007FF9091D0000-0x00007FF9091E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4172-482-0x00007FF9091D0000-0x00007FF9091E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4172-481-0x00007FF9091D0000-0x00007FF9091E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4172-337-0x00007FF9091D0000-0x00007FF9091E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4900-336-0x0000000000950000-0x00000000009DE000-memory.dmp

        Filesize

        568KB

        Download