0b29711ec115c27f4cd6963b9ea1e4febf15624f1c17d1c018611ee3df8c333c

Analysis

max time kernel
143s
max time network
94s
platform
windows11-21h2_x64
resource
win11-20241007-es
resource tags

arch:x64arch:x86image:win11-20241007-eslocale:es-esos:windows11-21h2-x64systemwindows
submitted
13-11-2024 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

COMPILED.zip
Size

6.9MB
MD5

30b1961a9b56972841a3806e716531d7
SHA1

63c6880d936a60fefc43a51715036c93265a4ae5
SHA256

0b29711ec115c27f4cd6963b9ea1e4febf15624f1c17d1c018611ee3df8c333c
SHA512

9449065743226bd15699e710b2bab2a5bb44866f2d9a8bd1b3529b7c53d68e5ecba935e36406d1b69e1fb050f50e3321ef91bc61faac9790f6209fec6f930ed0
SSDEEP

196608:C+MPQJu8YfQFtMAFMQ5RIhFmQ06L29tJW0SCK5u:C+mQ08YfQNMQ5RI7i9LSCAu

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1100	AsyncRAT.exe
4600	AsyncRAT.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
1100	AsyncRAT.exe
1100	AsyncRAT.exe
1100	AsyncRAT.exe
1100	AsyncRAT.exe
1100	AsyncRAT.exe
1100	AsyncRAT.exe
1100	AsyncRAT.exe
1100	AsyncRAT.exe
1100	AsyncRAT.exe
1100	AsyncRAT.exe
1100	AsyncRAT.exe
1100	AsyncRAT.exe
1100	AsyncRAT.exe
1100	AsyncRAT.exe
1100	AsyncRAT.exe
1100	AsyncRAT.exe
1100	AsyncRAT.exe
1100	AsyncRAT.exe
1100	AsyncRAT.exe
1100	AsyncRAT.exe
1100	AsyncRAT.exe
1100	AsyncRAT.exe
1100	AsyncRAT.exe
1100	AsyncRAT.exe
4908	7zFM.exe
4908	7zFM.exe
4600	AsyncRAT.exe
4600	AsyncRAT.exe
4600	AsyncRAT.exe
4600	AsyncRAT.exe
4600	AsyncRAT.exe
4600	AsyncRAT.exe
4600	AsyncRAT.exe
4600	AsyncRAT.exe
4600	AsyncRAT.exe
4600	AsyncRAT.exe
4600	AsyncRAT.exe
4600	AsyncRAT.exe
4600	AsyncRAT.exe
4600	AsyncRAT.exe
4600	AsyncRAT.exe
4600	AsyncRAT.exe
4600	AsyncRAT.exe
4600	AsyncRAT.exe
4600	AsyncRAT.exe
4600	AsyncRAT.exe
4600	AsyncRAT.exe
4600	AsyncRAT.exe
4600	AsyncRAT.exe
4600	AsyncRAT.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4908	7zFM.exe
4600	AsyncRAT.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	4908	7zFM.exe
Token: 35	4908	7zFM.exe
Token: SeSecurityPrivilege	4908	7zFM.exe
Token: SeSecurityPrivilege	4908	7zFM.exe
Token: SeSecurityPrivilege	4908	7zFM.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
4908	7zFM.exe
4908	7zFM.exe
1100	AsyncRAT.exe
4908	7zFM.exe
4908	7zFM.exe
4600	AsyncRAT.exe
4600	AsyncRAT.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1100	AsyncRAT.exe
4600	AsyncRAT.exe
4600	AsyncRAT.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 1100	4908	7zFM.exe	85
PID 4908 wrote to memory of 1100	4908	7zFM.exe	85

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\COMPILED.zip"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1100

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3624

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3752

C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe
"C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4600

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4012

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AsyncRAT.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe

Filesize
6.4MB

MD5
97a429c4b6a2cb95ece0ddb24c3c2152

SHA1
6fcc26793dd474c0c7113b3360ff29240d9a9020

SHA256
06899071233d61009a64c726a4523aa13d81c2517a0486cc99ac5931837008e5

SHA512
524a63f39e472bd052a258a313ff4f2005041b31f11da4774d3d97f72773f3edb40df316fa9cc2a0f51ea5d8ac404cfdd486bab6718bae60f0d860e98e533f89

Download Submit
C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe.config

Filesize
5KB

MD5
cb1f2dcfeb5cbb5af8efa7ea40b8e908

SHA1
ceb040761554040cac2fc7ca18623498d3bfc7ce

SHA256
58f956abe9d717683f4a1cfa6f70e256c80461315a8d47b6456116b3d3075372

SHA512
f0d805bb7983a111b7083e08d5e53c30dd78a0a5fa2baa2af6c5d3395475a3399fd085d151cc8cce312c7eb3e11ac7c2cc78c49ff8a9bfba4b6ad6585caeaeea

Download Submit
memory/1100-15-0x00000217A4240000-0x00000217A4492000-memory.dmp

Filesize
2.3MB

Download
memory/1100-16-0x00007FF9AD6E0000-0x00007FF9AE1A2000-memory.dmp

Filesize
10.8MB

Download
memory/1100-17-0x00007FF9AD6E3000-0x00007FF9AD6E5000-memory.dmp

Filesize
8KB

Download
memory/1100-18-0x00007FF9AD6E0000-0x00007FF9AE1A2000-memory.dmp

Filesize
10.8MB

Download
memory/1100-20-0x00007FF9AD6E0000-0x00007FF9AE1A2000-memory.dmp

Filesize
10.8MB

Download
memory/1100-13-0x0000021789500000-0x0000021789B6A000-memory.dmp

Filesize
6.4MB

Download
memory/1100-12-0x00007FF9AD6E3000-0x00007FF9AD6E5000-memory.dmp

Filesize
8KB

Download
memory/4600-90-0x000002927BB30000-0x000002927BB3A000-memory.dmp

Filesize
40KB

Download
memory/4600-91-0x000002927BAA0000-0x000002927BAB2000-memory.dmp

Filesize
72KB

Download
memory/4600-92-0x000002927DCE0000-0x000002927DF60000-memory.dmp

Filesize
2.5MB

Download
memory/4600-100-0x000002927BCA0000-0x000002927BDA2000-memory.dmp

Filesize
1.0MB

Download