Analysis
-
max time kernel
117s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
-
submitted
01/08/2024, 02:36
General
-
Target
https://workupload.com/file/9recfD6V5SM
Malware Config
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 4 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://workupload.com/file/9recfD6V5SM1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee54b46f8,0x7ffee54b4708,0x7ffee54b47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,14689892494330979409,13665377969364350082,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,14689892494330979409,13665377969364350082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,14689892494330979409,13665377969364350082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14689892494330979409,13665377969364350082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14689892494330979409,13665377969364350082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,14689892494330979409,13665377969364350082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,14689892494330979409,13665377969364350082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14689892494330979409,13665377969364350082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14689892494330979409,13665377969364350082,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,14689892494330979409,13665377969364350082,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3496 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14689892494330979409,13665377969364350082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14689892494330979409,13665377969364350082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14689892494330979409,13665377969364350082,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14689892494330979409,13665377969364350082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14689892494330979409,13665377969364350082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14689892494330979409,13665377969364350082,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14689892494330979409,13665377969364350082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14689892494330979409,13665377969364350082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2240 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,14689892494330979409,13665377969364350082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6368 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Anarchy Panel 4.7.7.rar"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Anarchy Panel.exe"C:\Users\Admin\Desktop\Anarchy Panel 4.7\Anarchy Panel.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\Anarchy Panel 4.7\Anarchy Panel.exe.config"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Anarchy Panel.exe"C:\Users\Admin\Desktop\Anarchy Panel 4.7\Anarchy Panel.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Anarchy Panel.exe"C:\Users\Admin\Desktop\Anarchy Panel 4.7\Anarchy Panel.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Anarchy Panel.exe"C:\Users\Admin\Desktop\Anarchy Panel 4.7\Anarchy Panel.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5506e03d65052f54028056da258af8ae6
SHA1c960e67d09834d528e12e062302a97c26e317d0e
SHA256b26d2695dfe8aed4d0d67d11b46d4542c3c9c8964533404dfe32ce7a3e6cfb98
SHA51215da55267433c41febebbe48983023293c6d436f89a56138cef1cea7deb5cdd7d4bcf58af12835e1152a8ec59e08cfc965e521eb54eed47fe44e1f4c2d1557a4
-
Filesize
152B
MD5a15dea0d79ea8ba114ad8141d7d10563
SHA19b730b2d809d4adef7e8b68660a05ac95b5b8478
SHA2560c4dd77399040b8c38d41b77137861002ef209c79b486f7bbdb57b5834cd8dbf
SHA512810fc1fb12bceae4ca3fad2a277682c2c56f0af91a329048adbeb433715b1f707927274e3e4a4479222f578e8218663533440c71b22c49735a290f907cc0af1f
-
Filesize
168B
MD5c4c039ef26076404a51459eeeec9f992
SHA1e2507d798d0bb1a56b5ab8488a0eec93be4747d2
SHA256e04d83360a56290a74a0aebdebe9b8c457ba6d9f7bccb7bb6b05a34aec4527c0
SHA51231c3ab1edec37913aa709839de7209cfcab2a95408278a7c7e99f97f023b1722635e35cdc08b89dd00f1dcf2652f58bad21eaf381c8a8e15ad6e3b58f6724448
-
Filesize
6KB
MD5141cbd9d21d6efa356c99164f779607f
SHA130a877283259a177b5836c85dfa4ac972de88269
SHA25624300978f02ad040bc30f2ef8b7b6d59c17f2f9fc22a3e85b972edc5ac1724c3
SHA51283499aa377fdf7c549484dbf259cba30442803fa81529d1b7bce8e3273c5906780ad1d043885e81a6085bb6025fe36fc513e5229d4ae362a93c1610087536bfa
-
Filesize
6KB
MD567db37bac92e009c5a33b789e887b09f
SHA11f243a7dab428bb37d6a7acefcd82734d2798872
SHA25614fc9be1508ab98cf777a57cda24022f199a116efc0c46204d355149a80d984b
SHA512bc8707d6544f7f7489deaa6c4b0320ce0c2236c1be74f8e3fca4e8247bc88992025b0f397ddcd8c1edbd1e89a97f90e1702b163163cba2bc91dad87697a44b3a
-
Filesize
7KB
MD5985baded4387babf9989c07bee9ed4d1
SHA101722b79f75e11cb066ba2b207bb5d3445f5515b
SHA25627e75de661b42c7f70ddf1339a7a389ee0b7bf08986b4ddd72564e8d9ae0ea6a
SHA5129c9fea2becb7770156beb20b3b1e75138c8a38a5ca269725666d958078a31fe21ee4b5741e03757d5e5de160c6db3980d0ef9fe84f404b1e014f27c7d10ef832
-
Filesize
7KB
MD5bf3cc9031feea95892b6845c8c175447
SHA1689e29acfa9246b37b1d3e86403e2e9b32d9d909
SHA256aca6dd85ed7e8bef3b67a7e9111ea814a1c37ff437b9ad1fb1e7f22efc7137a3
SHA51210cf866a85f048d289517c100f7f6004fa94b3827ad053b5a1664f8871e27e555954ae004ac587666bf9e0686caa68f0b45f698026841409ea50c0f9ec8bce14
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5a6d65163c9b35d2273934a03304a19e7
SHA15d2a98b2b90818b483c107e82731a52c6d6dc68f
SHA2564d2a0b10b3b608137a541173cca1dbceb84855cdf2e0d4d7353a16ca437433ec
SHA51299ad73c726cc5f9500c0bbb78e0d99f5252bae03fcaff64d5f670979a5e1d9e59866448e36ad487633e01f6ceda144dda94e44f61d11660efc9422c038c76b7a
-
Filesize
11KB
MD52b076b3475d1eb963a7fe76496899367
SHA199baede590227c1a029e1ca2d6be3836e5b6266b
SHA256c38fb92cf1f72cf714a9b8ff002c29f6dc423f6fc46519ffd4adfa601ee8f447
SHA5124bae573666ecf58afe1726829a8f5217c72b493d2ee5df7e9a286f21ce01df90d13890dffa345c77eb42d3560cbdeb4acfd15ad1729a59ee667ceea115685b32
-
Filesize
10KB
MD50ae6894ca69f0b6e2ee6b558b9a13755
SHA15dfc33124a564a97e0f54f944a1c851928b69cd6
SHA2564eb5497bdb4fe755a64bab33c7a75bd65efbcac1eb7d6aad6b2499eb3ddd5cdd
SHA512308b58e81f12155c5d47943a4276230cfd95de7cf03048d59d1b94a89bb2bb18603677d4b083872dc1b97210a045300727c92dac3de3ffa65a1aecbd5a3ad751
-
Filesize
10KB
MD5bafa3e9164174f4ae8edc575a5faaa83
SHA1fad83cd0ce2d81431cb49839d570d2dc44ddbdac
SHA256064003f4edf6d79ea2e177be2937bc63cce2538a9306b8bfe1488bb448e0dd21
SHA512fa6a9d475454eb1630e99098830e1c70c2f9f3d65deb48e47503aa3ef430ac364d81ca978a03381732fc83debcb1ab00a3fc6ecd36b64b6c1c45ac7dd7b7d52c
-
Filesize
1.7MB
MD556a504a34d2cfbfc7eaa2b68e34af8ad
SHA1426b48b0f3b691e3bb29f465aed9b936f29fc8cc
SHA2569309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961
SHA512170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7
-
Filesize
3KB
MD53d441f780367944d267e359e4786facd
SHA1d3a4ba9ffc555bbc66207dfdaf3b2d569371f7b5
SHA25649648bbe8ec16d572b125fff1f0e7faa19e1e8c315fd2a1055d6206860a960c9
SHA5125f17ec093cdce3dbe2cb62fec264b3285aabe7352c1d65ec069ffbc8a17a9b684850fe38c1ffd8b0932199c820881d255c8d1e6000cbbe85587c98e88c9acb90
-
Filesize
54.6MB
-
Filesize
72KB
-
Filesize
5.9MB
-
Filesize
3.8MB