Analysis
-
max time kernel
176s -
max time network
203s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
23-11-2024 06:46
General
-
Target
Project Buu.rar
-
Size
30KB
-
MD5
92873d2f99e985d47885123508f96de8
-
SHA1
622e60c7bc942e6a003a7131c35cfe6ccff6d683
-
SHA256
558909412427b05911a02cddfe00fc5e9d30bc38e1ba636d04aa7efb63438ec8
-
SHA512
81f0f373c89af6599c511c4e5b5446353bf6b71ce34bb1e6c13d4b3c842e889b505484689c4e800c05dadbf20c54b6d9d5653bf41ae58b6b380b354b1e278dfe
-
SSDEEP
768:JbQLvR3dqVDOkV406ur3n2N/MCiII7F+2H4:JbQLBnd0xL2vIQb
Malware Config
Extracted
asyncrat
Default
79.110.49.58:3232
-
delay
1
-
install
true
-
install_file
Windows Security .exe
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Stealerium family
-
UAC bypass 3 TTPs 3 IoCs
-
Async RAT payload 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 1 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of FindShellTrayWindow 20 IoCs
-
Suspicious use of SendNotifyMessage 16 IoCs
-
Suspicious use of WriteProcessMemory 40 IoCs
-
System policy modification 1 TTPs 3 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Project Buu.rar"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zO8B9206B7\Dependencies.exe"C:\Users\Admin\AppData\Local\Temp\7zO8B9206B7\Dependencies.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Security " /tr '"C:\Users\Admin\AppData\Roaming\Windows Security .exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Windows Security " /tr '"C:\Users\Admin\AppData\Roaming\Windows Security .exe"'4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA7E8.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\Windows Security .exe"C:\Users\Admin\AppData\Roaming\Windows Security .exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Accesses Microsoft Outlook profiles
- Checks whether UAC is enabled
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
- outlook_office_path
- outlook_win_path
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add - MpPreference - ExclusionExtension ".exe"5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All5⤵
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile6⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
C:\Windows\system32\findstr.exefindstr All6⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid6⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Security "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /delete /f /tn "Windows Security "6⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1806.tmp.bat""5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 36⤵
- Delays execution with timeout.exe
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zO8B98F4D7\Dependencies.exe"C:\Users\Admin\AppData\Local\Temp\7zO8B98F4D7\Dependencies.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
527B
MD5ebf23a94c8f4842d79b562e7d2be5370
SHA15c22ad6c303a66442f1ae595aee7f44b8a225652
SHA256bebc5171be099a8e7f8b29481a97d71826636b6e4a578d1db2ac022a25b26beb
SHA512c92039b73eaf14acbca873c7214f6233b9fa832b7603e0910203a3b7fb0d8a48ca70577436103bdddbefc0fbc6623d13c7067844e55b25c48e3fc54926ed2c67
-
Filesize
1KB
MD59cd2c5433608d3d85db3c76f499fb617
SHA1a1190c055880f4f497a9a87de2968d087930aa07
SHA256d0f6cc74ecbb99dbb1d3eadcc4abba6f0981b69dff6f21f546891e865491b22b
SHA512efea5227cf3cbd5ba12fe865ca8cb299e81ff0f2c3c2b2c299310cc55f3583865fbbf894c8415f3de7880e0dfdd62b515cc4e9a2b73964714f83674dbb47259e
-
Filesize
3KB
MD5f8b1a212e9e0b69b653931bf507b4766
SHA1e1499c9af4ddd850168714b5605e3394c8ad1146
SHA256727615dc87077c4055fd587ace55f28817b2d060e4c967c48b63907b3ea29005
SHA5120c70f4f4ecd8dee0e460c06f5aa0706ca5e4797efbced43d5bd432ec945cc713b371de48597b3d6708409506be35e447d43caaed08975c4126b170f3f02c2da8
-
Filesize
4KB
MD53feb12854974d5ded07c2ec176a42279
SHA117c1f273be47ac3ca2799f5857973651f5b01528
SHA256a229951d6e0456635bf902b2cd911ef28fd64e63436bba26077ac75beafccb66
SHA51225b88d62c64700d5a04831e6f003205aa9ed46ccadfec4a462cd0d984339f83586ea76749338b72610e7e207740683d00129b4ec5b1837be7fce2c171d02d9ce
-
Filesize
425B
MD5fff5cbccb6b31b40f834b8f4778a779a
SHA1899ed0377e89f1ed434cfeecc5bc0163ebdf0454
SHA256b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76
SHA5121a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
63KB
MD597be07e4d8fa640d71aa049385d8bcc2
SHA1cd21b0a98183abe177ce6b1a857f9b4166100b4d
SHA256df4e19980ecdf58f0a6562bad1e4929e30e21f4b3633f9f33ad4b86a5406ee31
SHA51223e6b9ea22b2dead07d5b6baf076afcf747e8ba02df9afbc81ca3011f91035cf6d385c5a9dd5ae63fe6f95010ab928379baf4d55cbb04c4bbdcf246689e52cd4
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
166B
MD5aa94d9dfdd530aed0bace68517915795
SHA1d9ee2a21b3ed735c86fd9865f33499427cad9058
SHA2564987f95b6f888d5fa808f5773422965d46d297753a3780d7c24397264b14702a
SHA5122f63d8cc35cd48c00bc0db3b47128f38ccbf829375b18a840d186ec1497eaed128487056077103cdfe3abb8a6b111e8547f4f9a081e0de849978a0c864391b3a
-
Filesize
161B
MD57ae239dfdbffcae5dbb501cec8b0fde2
SHA182e106d0c9481cacd0df30f47ef69b5e691fa71b
SHA2563a2f70556640c605393cc63ccef4dfcfdf8964a9032276f76848b51b3483f3d6
SHA51249fbd4f942e39964a00a0ce6a9dc39c2c5ed479fd112dfbe87e3486a08ff37cc1e26a17b2e8110060a54d0260fffea5341dbfebfe1fe2a780e590217dffefd1d
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
88KB
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
472KB
-
Filesize
40KB
-
Filesize
1.5MB
-
Filesize
208KB
-
Filesize
488KB
-
Filesize
120KB
-
Filesize
712KB
-
Filesize
208KB