Overview

overview

10

Static

static

3

DeliciousPart.exe

windows10-2004-x64

10

DeliciousPart.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    1795s
  • max time network
    1161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2024 15:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DeliciousPart.exe

  • Size

    854KB

  • MD5

    8432070440b9827f88a75bef7e65dd60

  • SHA1

    6c7a2124b7076383f577eb0042f9ea917b2b4066

  • SHA256

    459443def8fd0c940b2da33d9703fcf5771dbcd9ce4aff2dcc670528c1d1d3c1

  • SHA512

    50d8ca74f51257b03678fcb9e98b8ad3eb412403d3b87efdba1dbf09af207aba6e21f849fe811600467e4d5803188ed8e521c407e8942adf0a002c1d937bbf61

  • SSDEEP

    24576:ZY/1EAAfF8FU1lqbrkSqdKHYiJfLYkoDhsYPWLiK:8VAt8FU1lekSq0c68FK

Score
10/10
asyncratdiscoveryrat

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\DeliciousPart.exe
    "C:\Users\Admin\AppData\Local\Temp\DeliciousPart.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4076
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c move Tall Tall.bat & Tall.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3984
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2792
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "wrsa opssvc"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2164
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3560
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4376
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c md 349877
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4816
      • C:\Windows\SysWOW64\findstr.exe
        findstr /V "ORDINANCECHILDHOODCONVERTENDORSED" Booty
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2608
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b ..\Norwegian + ..\Mysql + ..\Tours + ..\Awareness + ..\Picking K
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2284
      • C:\Users\Admin\AppData\Local\Temp\349877\Faced.pif
        Faced.pif K
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:4492
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks.exe /create /tn "BioMind" /tr "wscript //B 'C:\Users\Admin\AppData\Local\BioTech Dynamics\BioMind.js'" /sc onlogon /F /RL HIGHEST
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:3424
        • C:\Users\Admin\AppData\Local\Temp\349877\RegAsm.exe
          C:\Users\Admin\AppData\Local\Temp\349877\RegAsm.exe
          4⤵
          • Executes dropped EXE
          PID:1092
      • C:\Windows\SysWOW64\choice.exe
        choice /d y /t 15
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1440

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\349877\Faced.pif
    Filesize

    1.0MB

    MD5

    c63860691927d62432750013b5a20f5f

    SHA1

    03678170aadf6bab2ac2b742f5ea2fd1b11feca3

    SHA256

    69d2f1718ea284829ddf8c1a0b39742ae59f2f21f152a664baa01940ef43e353

    SHA512

    3357cb6468c15a10d5e3f1912349d7af180f7bd4c83d7b0fd1a719a0422e90d52be34d9583c99abeccdb5337595b292a2aa025727895565f3a6432cab46148de

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\349877\K
    Filesize

    294KB

    MD5

    c2a4fd12d413dfc8e4b1e37b8f8aee94

    SHA1

    5164e8f38a29ac76b34d03cdc16ce273a58bb432

    SHA256

    6885fd9a711b7f8ba4d057eb6de0cee6e3ac5c193086220f0df473a293e54fd0

    SHA512

    2cce54656fb690e7c494a2cbb2f9d2c7599f42ef8f138647d0aefd5b4cd0b4bd7f1674221359c9acaf70b8f3548b80b9f97e31b49c3d40fd49b0d370c7664c0e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\349877\RegAsm.exe
    Filesize

    63KB

    MD5

    a4eb36bae72c5cb7392f2b85609d4a7e

    SHA1

    5c58053a3a18c0226b98a4ac7e7320581300b6c9

    SHA256

    dc45704ba97d974d157c1c4a27dba402afa595eac2468d8def2ee8d0a2ee9a81

    SHA512

    8ebdd20b7c1ee87aa3766d812960b0d8cfa0a6ba6e371f730e589895d202dd540eb475f69940261c1532e90d1030370e9eb5102cadbf6e546f99b350de79b95a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Awareness
    Filesize

    95KB

    MD5

    3d433702ad47521887f8f4c46367e188

    SHA1

    1f6a35c56aa019baefa709970d8710d5b6cc9a09

    SHA256

    a7d8e066479c17eeafc4732d28b38c713ad82e45008c138bb482a302dbce4907

    SHA512

    9f590f44dbd66218a2b3b3fcba7477f69ef4464d69337d67e021cdd883f0d4fc4b4125630f578754d1dae1a06296580d5f8c879dcb167bdc0906080b59b6bc35

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Booty
    Filesize

    5KB

    MD5

    456e8d3795990ee35e9cbc227cd15982

    SHA1

    9975e340561e157ac4e3c4c8fd33d7eef308268d

    SHA256

    c9a8704bdb3aced2af9ef516c6c1ea53145460a763d54bacf3da50f07fbee52e

    SHA512

    bbf344bee7a00522667aca111db321d9520ce5e986e4f7069343923553388321b95479897af013ce214783f23ce665980c67d2998373c3f61a1ce1c30bd93f69

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Distributor
    Filesize

    1.0MB

    MD5

    350de0e31aa0d66122bd6f686c51a118

    SHA1

    6e97be100aca0c32186b29d0a1a01d0242bf92e3

    SHA256

    3e63313db20fe4d41a6d16f50df9dd632b44b519299f7729cc98f183804e0751

    SHA512

    3a45cb6b3d020d7006ba3813320024fb93ba8228674e474b061d078df39421c8900b25ef292bd5466a807a0bebf4e34deea585bf880cff7a8f3ef38a813775af

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Mysql
    Filesize

    91KB

    MD5

    ff82d720fafa65d0118b0158ca740524

    SHA1

    320a35c7ccb261719c4bce9eb102bf0644a6e70b

    SHA256

    388fb4562fb986384807fdacd20f6879b640c36fde7a2e954986f53305f4b533

    SHA512

    e43c701fe1635b2d84a9b39adc8d3bb7aeec81647cdacb5bce9a6298c98fa0da9d6858f7a7b8c72ad95a9ecf6874ad89fd33d06a9b400e3914db211552f6c392

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Norwegian
    Filesize

    52KB

    MD5

    2f1dd187a223dd7faead0d4bceeba5b3

    SHA1

    8d86c8e86f21103ad29f1f6862343c2712a69f23

    SHA256

    8687d07d8992cc9d82e7c30e09e02d5638ef497f1ca5f8162d6376f0ed82f2a6

    SHA512

    7e18885e9fcd7e7fdb3fe274ef961d69400f73e559872d58cc305f992296202097de81f3c845dd34d2d85b378fd98c0330cd4d5b15b9a4d1ca6155dcf0b12238

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Picking
    Filesize

    2KB

    MD5

    3a83957e84f93270c2bec9b39a578ce5

    SHA1

    68952c3e118405cf225796d6b5aa1c2bad16a0d6

    SHA256

    3dd565cfb94bf646f5b2b42efade7a4abe8ec67661fad5e4630492bb3bf7817c

    SHA512

    f8cc0ab08764b73622fae22687700957ce332d56150f863fef6cf4848129f2731ac559e2a6444d03c6a063c966b917c06ac8b79e5f615961bd84d179685254d2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tall
    Filesize

    10KB

    MD5

    7bb1b88b0dad0d85e482bf27d8ed266f

    SHA1

    53621cae980c2232d1a06b834ee54f4cc551901c

    SHA256

    f06031fd4be1e9e5d057622752c9d1f1ce4511c2839f4b218b4d5fa89a783225

    SHA512

    cc479a4aed0568ddbf47d6e83d2a4f837fac47000244a7b6ceb81c02ab4480ae7a0dcf5d38cf05e179ff6fbc69e32e08041cdf65d52fe092de59fd3840d8a70d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tours
    Filesize

    54KB

    MD5

    b771cf4019629d56e8492691792498e5

    SHA1

    b9e9e1d4829e6125c4ffb5fc19fd779968ce2778

    SHA256

    2840fe24a2d9b7ca532c5f351469d50cc6bed0d37fb648753e940b49786be891

    SHA512

    e20551a1dc3a8dd7445eceaecb14570c7f7681fd6b6c8322c31cdcd27560f5206ad9162d7cd71128bb28432f35f95f002233c0b3f7eeaf43b8539d281b153d48

    Download Submit

  • memory/1092-29-0x0000000140000000-0x0000000140030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1092-32-0x0000019D38960000-0x0000019D3898C000-memory.dmp

    Filesize

    176KB

    Download