Overview

overview

10

Static

static

3

munchenclient.exe

windows7-x64

10

munchenclient.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    31s
  • max time network
    35s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2024 19:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    munchenclient.exe

  • Size

    6.3MB

  • MD5

    b995bac46098f434d11d84ec79bcb6ac

  • SHA1

    3bb75ae3a8ec4054ccbeea3e3b2daf854bad81e2

  • SHA256

    0a7f831cb637214cae61b0e833bd5e5fabadd5dc5d4d68331fe76cce091e1542

  • SHA512

    72a515bfb170f0c06a26b3907cf31802a1ebb3b148d0f3a60d4424ea899f5f1b38d9a4bfd5fe25960d65eda8623e9ac12f1069d2940b1ad7e234c8bf78da54ce

  • SSDEEP

    196608:kpPx7IW+Ryxgp1qRAL1vJYrET+9b6P32gm/uMkOPx5WzN:k9x5gp1qSL1vJYrM8b+3NkOOPxy

Score
10/10
asyncratgibsonsdefense_evasiondiscoveryevasionexecutionrattrojanupx

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Gibsons

C2

198.98.58.93:999

Mutex

obamanet_floyd999

Attributes
  • delay

    1

  • install

    true

  • install_file

    Core Sound Service.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Async RAT payload 1 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\munchenclient.exe
    "C:\Users\Admin\AppData\Local\Temp\munchenclient.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAZAB1ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHgAcwBoACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAVABoAGUAIABjAG8AZABlACAAZQB4AGUAYwB1AHQAaQBvAG4AIABjAGEAbgBuAG8AdAAgAHAAcgBvAGMAZQBlAGQAIABiAGUAYwBhAHUAcwBlACAATQBTAFYAQwBQADEANAAwAC4AZABsAGwAIAB3AGEAcwAgAG4AbwB0ACAAZgBvAHUAbgBkAC4AIABSAGUAaQBuAHMAdABhAGwAbABpAG4AZwAgAHQAaABlACAAYQBwAHAAbABpAGMAYQB0AGkAbwBuACAAbQBhAHkAIABmAGkAeAAgAHQAaABpAHMAIABwAHIAbwBiAGwAZQBtAC4AJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAG4AaQBxACMAPgA="
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1764
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcwByACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAaABrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAbQBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdgBpACMAPgA="
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1744
    • C:\Users\Admin\AppData\Local\Temp\munchenclients.exe
      "C:\Users\Admin\AppData\Local\Temp\munchenclients.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAeABoACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHMAbQBuACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAVABoAGUAIABwAHIAbwBnAHIAYQBtACAAYwBhAG4AGSB0ACAAcwB0AGEAcgB0ACAAYgBlAGMAYQB1AHMAZQAgAE0AUwBWAEMAUAAxADQAMAAuAGQAbABsACAAaQBzACAAbQBpAHMAcwBpAG4AZwAgAGYAcgBvAG0AIAB5AG8AdQByACAAYwBvAG0AcAB1AHQAZQByAC4AJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHEAcABlACMAPgA="
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2696
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAeABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AagBzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAbAB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGoAcAB1ACMAPgA="
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2592
      • C:\Users\Admin\AppData\Local\Temp\Built.exe
        "C:\Users\Admin\AppData\Local\Temp\Built.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2644
        • C:\Users\Admin\AppData\Local\Temp\Built.exe
          "C:\Users\Admin\AppData\Local\Temp\Built.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:868
    • C:\Users\Admin\AppData\Local\Temp\Core Sound Service.exe
      "C:\Users\Admin\AppData\Local\Temp\Core Sound Service.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Core Sound Service" /tr '"C:\Users\Admin\AppData\Roaming\Core Sound Service.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:484
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "Core Sound Service" /tr '"C:\Users\Admin\AppData\Roaming\Core Sound Service.exe"'
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1996
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpEED2.tmp.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:536
        • C:\Windows\system32\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:2016
        • C:\Users\Admin\AppData\Roaming\Core Sound Service.exe
          "C:\Users\Admin\AppData\Roaming\Core Sound Service.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • UAC bypass
          • Executes dropped EXE
          • Windows security modification
          • Checks whether UAC is enabled
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:996
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" Get-MpPreference -verbose
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1396
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension ".exe"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Modify Registry

4
T1112

Obfuscated Files or Information

1
T1027

Command Obfuscation

1
T1027.010

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Cab15A.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Core Sound Service.exe
    Filesize

    411KB

    MD5

    4cf5485962a77f230dc8f55b491130cd

    SHA1

    148418d84ec198032a3c384a03571dc45ee26a3d

    SHA256

    d976098cc4601c051f863f3eb9c0cb339471da6f67f6eae015b3f0239a44869b

    SHA512

    296abebc586c3bed08e8d195730e80426471f3a68833d054cbd31a09a61ba0a407844e70a5c713d67ffcc95bde7f7c0d5efc5307cee9fa88607e3117fe0b6ac5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarA62.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI26442\python310.dll
    Filesize

    1.4MB

    MD5

    178a0f45fde7db40c238f1340a0c0ec0

    SHA1

    dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe

    SHA256

    9fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed

    SHA512

    4b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpEED2.tmp.bat
    Filesize

    162B

    MD5

    521153ae4047258726cbeb686684b80e

    SHA1

    db0771cd4ab282e55bbdac0299a0a21a8905c86e

    SHA256

    971158632d960eb50f66862c8df83b6566d4b7d2c61a48dd5eccf57c2a588bd1

    SHA512

    168416c81ee171a95dcc1334149ebf5968e3c3a8706bfb165e164dacd8ac3fd62cafa41687e3993a05fdcd27be354a46f3ca24f84394fb2bf260d29cf66a13d2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    3250e22dc77316a079925238141fed12

    SHA1

    bffd937db611bf2617ee7140c2511a4959dd9bc0

    SHA256

    a5d211153e66f40aa1edf84eaa79a0646362843c41e36d8496ee19897fa740c8

    SHA512

    0d3a434908bbb2f3c41a95c8dfa1943010fb51bed7f24e4df33680b1dada585cf50d02f6864921599e4e24363c50a7238f9adf3377e8b92edfdf9bb08b1061b9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    60ed2912f0805951c74de1510fc6f09e

    SHA1

    a231ccf24377a1394855a73f2db1221b5dffc213

    SHA256

    b1502d18c48f6aae5a74e08959bc7cb8cee03fc9df57f597f31af15729a05814

    SHA512

    8ddd0d2564c4621d24da45bcca3aafa91bb79aeb768e0566a0c166df71e1db6bd8b533b8f6aa62d851aea01af3adcc8b038c57cc876efa33038c501b5ff03a52

    Download Submit

  • \??\PIPE\srvsvc
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Built.exe
    Filesize

    5.9MB

    MD5

    6ef38dfd53a643a2225848759960dbac

    SHA1

    29cfc9715c4e978a82734459cef0ff9a1ce4ddc4

    SHA256

    945a4092e68d2d3a5b18b8edfd6fe23e3ee96747c05fe5a8bd98a5a3b3a34a5f

    SHA512

    1a31a137cf4071c30488e64abc50291c8a6435d68d5f873d7f53d08621bc346ca09065647fc3c0fa70fc269544461bab78060e9e61ff98435d70b87c28b8a4b1

    Download Submit

  • \Users\Admin\AppData\Local\Temp\munchenclients.exe
    Filesize

    5.9MB

    MD5

    ea11d7c22e4b34f7acccaa5154263a6c

    SHA1

    1bdfc6ec9aa260783546ed35fcc996cedda7b193

    SHA256

    e1776f0997d5d91ca25490e8948e449fefbf4d56ef442b64cc1bf94fb680c661

    SHA512

    47b95e0f54fc4975788e55a784066577cd70512cd0508e8d13c256cac72f768c0d3b505411275d885108047fd1459da09ac76d567d8eeb455b3768ae1a778272

    Download Submit

  • memory/868-60-0x000007FEF6170000-0x000007FEF65DE000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/996-74-0x0000000000F70000-0x0000000000FDC000-memory.dmp

    Filesize

    432KB

    Download

  • memory/996-91-0x0000000000480000-0x000000000048E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1396-134-0x000000001B6B0000-0x000000001B992000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1396-135-0x0000000001F70000-0x0000000001F78000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1608-142-0x000000001B640000-0x000000001B922000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1608-143-0x0000000001E10000-0x0000000001E18000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2736-61-0x0000000000860000-0x00000000008CC000-memory.dmp

    Filesize

    432KB

    Download