Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-08-2024 13:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0b525c4353772a037df1a5815c64919b42b03ff92f4cb6a445367f46b7e82fd9.exe

  • Size

    909KB

  • MD5

    9da3fe2dc92314bbde5acb9fcc5ee627

  • SHA1

    67338ae6eaefbec732b72a31c909c4f9f3b09b56

  • SHA256

    0b525c4353772a037df1a5815c64919b42b03ff92f4cb6a445367f46b7e82fd9

  • SHA512

    ba5291821715d572d19871b494538d4a8cb68172518bdeb3c232740e31c9b0767ead41b1c234b56860a439e28d804b8fb7d41ddeffc943dd6b06cc1f4eb241b6

  • SSDEEP

    24576:Gf+4JO2iIzJJ4//3Udkj/9/5//sveidXG:zC/ii4X3Qk3M/2

Score
10/10
asyncratdiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

C2

blue.o7lab.me:7777

server.underground-cheat.xyz:7777
Mutex

dtDtRWyW1m1g

Attributes
  • delay

    3

  • install

    false

  • install_file

    $77WinUpdate.exe

  • install_folder

    %AppData%

aes.plain
aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Start PowerShell.

    execution
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Gathers network information 2 TTPs 4 IoCs

    Uses commandline utility to view network configuration.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b525c4353772a037df1a5815c64919b42b03ff92f4cb6a445367f46b7e82fd9.exe
    "C:\Users\Admin\AppData\Local\Temp\0b525c4353772a037df1a5815c64919b42b03ff92f4cb6a445367f46b7e82fd9.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:464
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig /release
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1256
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /release
        3⤵
        • System Location Discovery: System Language Discovery
        • Gathers network information
        PID:532
    • C:\Users\Admin\AppData\Local\Temp\pop3.exe
      "C:\Users\Admin\AppData\Local\Temp\pop3.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4340
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\euclbz.exe"' & exit
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1304
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\euclbz.exe"'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2000
          • C:\Users\Admin\AppData\Local\Temp\euclbz.exe
            "C:\Users\Admin\AppData\Local\Temp\euclbz.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2652
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c ipconfig /release
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2056
              • C:\Windows\SysWOW64\ipconfig.exe
                ipconfig /release
                7⤵
                • System Location Discovery: System Language Discovery
                • Gathers network information
                PID:1076
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
              6⤵
                PID:4104
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                6⤵
                  PID:4716
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                  6⤵
                    PID:4228
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                    6⤵
                      PID:3780
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                      6⤵
                        PID:2288
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                        6⤵
                          PID:3372
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                          6⤵
                            PID:3172
                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                            6⤵
                              PID:3756
                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                              6⤵
                                PID:3808
                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                6⤵
                                  PID:4440
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /c ipconfig /renew
                                  6⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:8
                                  • C:\Windows\SysWOW64\ipconfig.exe
                                    ipconfig /renew
                                    7⤵
                                    • System Location Discovery: System Language Discovery
                                    • Gathers network information
                                    PID:2060
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                          2⤵
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:432
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77WinUpdate" /tr '"C:\Users\Admin\AppData\Roaming\$77WinUpdate.exe"' & exit
                            3⤵
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of WriteProcessMemory
                            PID:1688
                            • C:\Windows\SysWOW64\schtasks.exe
                              schtasks /create /f /sc onlogon /rl highest /tn "$77WinUpdate" /tr '"C:\Users\Admin\AppData\Roaming\$77WinUpdate.exe"'
                              4⤵
                              • System Location Discovery: System Language Discovery
                              • Scheduled Task/Job: Scheduled Task
                              PID:2272
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEF51.tmp.bat""
                            3⤵
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of WriteProcessMemory
                            PID:2904
                            • C:\Windows\SysWOW64\timeout.exe
                              timeout 3
                              4⤵
                              • System Location Discovery: System Language Discovery
                              • Delays execution with timeout.exe
                              PID:1500
                            • C:\Users\Admin\AppData\Roaming\$77WinUpdate.exe
                              "C:\Users\Admin\AppData\Roaming\$77WinUpdate.exe"
                              4⤵
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              PID:3492
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\System32\cmd.exe" /c ipconfig /renew
                          2⤵
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of WriteProcessMemory
                          PID:4980
                          • C:\Windows\SysWOW64\ipconfig.exe
                            ipconfig /renew
                            3⤵
                            • System Location Discovery: System Language Discovery
                            • Gathers network information
                            PID:2728

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v0cpkqvy.lvo.ps1
                        Filesize

                        60B

                        MD5

                        d17fe0a3f47be24a6453e9ef58c94641

                        SHA1

                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                        SHA256

                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                        SHA512

                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\euclbz.exe
                        Filesize

                        1.5MB

                        MD5

                        675d5f4f8c0a9c2bd46b8ee34db2ac04

                        SHA1

                        a372e425e669936d174914680f46d30540d3706c

                        SHA256

                        ceda1404b09b12e5c59e28d23d0f86df547ed25de42ed74742c91cafe8fdf70f

                        SHA512

                        b9471dd7279a7de5df4547304938b53ce4ff56d373716fb065af8831192d592e1e97e11ed4509c61a80f39a602644cf241e09056f39505b7e64f9fe7aec934c2

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\pop3.exe
                        Filesize

                        45KB

                        MD5

                        3b86abe4c79286ed06965c268968c03d

                        SHA1

                        64afe64ee719aa3526023a5f7edacd44db21bde4

                        SHA256

                        47a46de105177d826cbda74051f7f9d7bb95ed079c2e636743f9f04ad8c6c4a7

                        SHA512

                        68f108646437fd72622cd1f719b2092b095e67500502981c4b605c64acaa38c12f46a82e47318b405137e5112ff82ccb51bfbb953b67fd3d1e9a5de1c2874483

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\tmpEF51.tmp.bat
                        Filesize

                        156B

                        MD5

                        eb1b60659f47926fe32ff9e98da55a00

                        SHA1

                        805b663e127c0daf138580816324960d074d6a9d

                        SHA256

                        285d591af451a81346fe9f518348d6ad85969e8b859ca839d7c2cb3888561e6b

                        SHA512

                        236832275efba3dfd0861ac662b12b64ebe99eeb9ae7261010359f9886695df90c9ba8d6b46a55869630e3e10459f9816239e6a434b5871dae594c06d557733b

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\$77WinUpdate.exe
                        Filesize

                        41KB

                        MD5

                        5d4073b2eb6d217c19f2b22f21bf8d57

                        SHA1

                        f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

                        SHA256

                        ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

                        SHA512

                        9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

                        Download Submit

                      • memory/432-1067-0x0000000000400000-0x0000000000412000-memory.dmp

                        Filesize

                        72KB

                        Download

                      • memory/432-1069-0x0000000074440000-0x0000000074BF0000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/432-1076-0x0000000074440000-0x0000000074BF0000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/464-12-0x0000000005490000-0x000000000556A000-memory.dmp

                        Filesize

                        872KB

                        Download

                      • memory/464-38-0x0000000005490000-0x000000000556A000-memory.dmp

                        Filesize

                        872KB

                        Download

                      • memory/464-30-0x0000000005490000-0x000000000556A000-memory.dmp

                        Filesize

                        872KB

                        Download

                      • memory/464-20-0x0000000005490000-0x000000000556A000-memory.dmp

                        Filesize

                        872KB

                        Download

                      • memory/464-5-0x0000000005490000-0x000000000556A000-memory.dmp

                        Filesize

                        872KB

                        Download

                      • memory/464-1042-0x0000000005640000-0x00000000056A0000-memory.dmp

                        Filesize

                        384KB

                        Download

                      • memory/464-56-0x0000000005490000-0x000000000556A000-memory.dmp

                        Filesize

                        872KB

                        Download

                      • memory/464-66-0x0000000005490000-0x000000000556A000-memory.dmp

                        Filesize

                        872KB

                        Download

                      • memory/464-64-0x0000000005490000-0x000000000556A000-memory.dmp

                        Filesize

                        872KB

                        Download

                      • memory/464-62-0x0000000005490000-0x000000000556A000-memory.dmp

                        Filesize

                        872KB

                        Download

                      • memory/464-1043-0x00000000056A0000-0x00000000056EC000-memory.dmp

                        Filesize

                        304KB

                        Download

                      • memory/464-54-0x0000000005490000-0x000000000556A000-memory.dmp

                        Filesize

                        872KB

                        Download

                      • memory/464-52-0x0000000005490000-0x000000000556A000-memory.dmp

                        Filesize

                        872KB

                        Download

                      • memory/464-50-0x0000000005490000-0x000000000556A000-memory.dmp

                        Filesize

                        872KB

                        Download

                      • memory/464-48-0x0000000005490000-0x000000000556A000-memory.dmp

                        Filesize

                        872KB

                        Download

                      • memory/464-46-0x0000000005490000-0x000000000556A000-memory.dmp

                        Filesize

                        872KB

                        Download

                      • memory/464-44-0x0000000005490000-0x000000000556A000-memory.dmp

                        Filesize

                        872KB

                        Download

                      • memory/464-42-0x0000000005490000-0x000000000556A000-memory.dmp

                        Filesize

                        872KB

                        Download

                      • memory/464-68-0x0000000005490000-0x000000000556A000-memory.dmp

                        Filesize

                        872KB

                        Download

                      • memory/464-58-0x0000000005490000-0x000000000556A000-memory.dmp

                        Filesize

                        872KB

                        Download

                      • memory/464-36-0x0000000005490000-0x000000000556A000-memory.dmp

                        Filesize

                        872KB

                        Download

                      • memory/464-34-0x0000000005490000-0x000000000556A000-memory.dmp

                        Filesize

                        872KB

                        Download

                      • memory/464-32-0x0000000005490000-0x000000000556A000-memory.dmp

                        Filesize

                        872KB

                        Download

                      • memory/464-28-0x0000000005490000-0x000000000556A000-memory.dmp

                        Filesize

                        872KB

                        Download

                      • memory/464-26-0x0000000005490000-0x000000000556A000-memory.dmp

                        Filesize

                        872KB

                        Download

                      • memory/464-24-0x0000000005490000-0x000000000556A000-memory.dmp

                        Filesize

                        872KB

                        Download

                      • memory/464-23-0x0000000005490000-0x000000000556A000-memory.dmp

                        Filesize

                        872KB

                        Download

                      • memory/464-18-0x0000000005490000-0x000000000556A000-memory.dmp

                        Filesize

                        872KB

                        Download

                      • memory/464-16-0x0000000005490000-0x000000000556A000-memory.dmp

                        Filesize

                        872KB

                        Download

                      • memory/464-1041-0x0000000074440000-0x0000000074BF0000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/464-4-0x0000000005490000-0x0000000005570000-memory.dmp

                        Filesize

                        896KB

                        Download

                      • memory/464-10-0x0000000005490000-0x000000000556A000-memory.dmp

                        Filesize

                        872KB

                        Download

                      • memory/464-8-0x0000000005490000-0x000000000556A000-memory.dmp

                        Filesize

                        872KB

                        Download

                      • memory/464-6-0x0000000005490000-0x000000000556A000-memory.dmp

                        Filesize

                        872KB

                        Download

                      • memory/464-14-0x0000000005490000-0x000000000556A000-memory.dmp

                        Filesize

                        872KB

                        Download

                      • memory/464-40-0x0000000005490000-0x000000000556A000-memory.dmp

                        Filesize

                        872KB

                        Download

                      • memory/464-60-0x0000000005490000-0x000000000556A000-memory.dmp

                        Filesize

                        872KB

                        Download

                      • memory/464-1044-0x0000000005820000-0x00000000058B2000-memory.dmp

                        Filesize

                        584KB

                        Download

                      • memory/464-1045-0x00000000058C0000-0x0000000005926000-memory.dmp

                        Filesize

                        408KB

                        Download

                      • memory/464-1046-0x0000000006060000-0x0000000006604000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/464-1049-0x0000000074440000-0x0000000074BF0000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/464-1060-0x0000000005E60000-0x0000000005EB4000-memory.dmp

                        Filesize

                        336KB

                        Download

                      • memory/464-1068-0x000000007444E000-0x000000007444F000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/464-1070-0x0000000074440000-0x0000000074BF0000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/464-0-0x000000007444E000-0x000000007444F000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/464-1-0x0000000000930000-0x0000000000A1A000-memory.dmp

                        Filesize

                        936KB

                        Download

                      • memory/464-3-0x0000000074440000-0x0000000074BF0000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/464-2-0x0000000005370000-0x0000000005450000-memory.dmp

                        Filesize

                        896KB

                        Download

                      • memory/2000-1090-0x00000000052D0000-0x00000000058F8000-memory.dmp

                        Filesize

                        6.2MB

                        Download

                      • memory/2000-1091-0x0000000005230000-0x0000000005252000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2000-1106-0x0000000006720000-0x0000000006742000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2000-1105-0x00000000071C0000-0x0000000007256000-memory.dmp

                        Filesize

                        600KB

                        Download

                      • memory/2000-1104-0x0000000006230000-0x000000000627C000-memory.dmp

                        Filesize

                        304KB

                        Download

                      • memory/2000-1103-0x00000000061F0000-0x000000000620E000-memory.dmp

                        Filesize

                        120KB

                        Download

                      • memory/2000-1102-0x0000000005D10000-0x0000000006064000-memory.dmp

                        Filesize

                        3.3MB

                        Download

                      • memory/2000-1089-0x00000000028D0000-0x0000000002906000-memory.dmp

                        Filesize

                        216KB

                        Download

                      • memory/2000-1092-0x0000000005B30000-0x0000000005B96000-memory.dmp

                        Filesize

                        408KB

                        Download

                      • memory/2652-2150-0x0000000005670000-0x0000000005774000-memory.dmp

                        Filesize

                        1.0MB

                        Download

                      • memory/2652-1111-0x00000000005A0000-0x000000000072C000-memory.dmp

                        Filesize

                        1.5MB

                        Download

                      • memory/2652-1112-0x00000000050D0000-0x0000000005252000-memory.dmp

                        Filesize

                        1.5MB

                        Download

                      • memory/2652-1113-0x0000000005250000-0x00000000053D2000-memory.dmp

                        Filesize

                        1.5MB

                        Download

                      • memory/3492-1082-0x0000000004A50000-0x0000000004A6A000-memory.dmp

                        Filesize

                        104KB

                        Download

                      • memory/3492-1081-0x0000000000280000-0x000000000028C000-memory.dmp

                        Filesize

                        48KB

                        Download

                      • memory/4340-1087-0x0000000006630000-0x000000000664E000-memory.dmp

                        Filesize

                        120KB

                        Download

                      • memory/4340-1086-0x0000000006510000-0x0000000006572000-memory.dmp

                        Filesize

                        392KB

                        Download

                      • memory/4340-1085-0x0000000006590000-0x0000000006606000-memory.dmp

                        Filesize

                        472KB

                        Download

                      • memory/4340-1084-0x0000000074440000-0x0000000074BF0000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/4340-1071-0x0000000005290000-0x000000000532C000-memory.dmp

                        Filesize

                        624KB

                        Download

                      • memory/4340-1063-0x0000000000580000-0x0000000000592000-memory.dmp

                        Filesize

                        72KB

                        Download

                      • memory/4340-1064-0x0000000074440000-0x0000000074BF0000-memory.dmp

                        Filesize

                        7.7MB

                        Download