Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
27-12-2024 00:18
General
-
Target
CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe
-
Size
22.7MB
-
MD5
55287c8aa442a3f521aabb6a80b3f6a8
-
SHA1
5e9c38e66448c4c1b8066b04987eb62cf6f48763
-
SHA256
cfb1ee668fc3e25580c334ab753749d2ef5a44ab9be1e033047345827696cbf8
-
SHA512
2d265bb941c28944ae7a25dea43d6122e04e549d349fc8276670683926feac52b12d3de42b0601d134f3842641b28751a62c8ddc28e3a3140f2041dfdf629813
-
SSDEEP
393216:9JQpmvC0NcJ1eE5GvFUmpeMPN30SscehY/L8A2tGECaJWE5MYUAPES:9Wm60A1exWYP0SsceOQAnsDOhs
Malware Config
Extracted
nanocore
1.2.2.0
pettbull.ddns.net:53896
127.0.0.1:53896
5bb33a25-3661-40a6-bf27-e3cf4c873773
-
activate_away_mode
false
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-12-19T09:35:29.334939436Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
53896
-
default_group
MIX221
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
5bb33a25-3661-40a6-bf27-e3cf4c873773
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
pettbull.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
asyncrat
0.5.7B
MIXONE
pettbull.ddns.net:6606
pettbull.ddns.net:7707
pettbull.ddns.net:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
Windows Microsoft.exe
-
install_folder
%AppData%
Extracted
quasar
1.4.0
MIX21
pettbull.ddns.net:4782
69383ffd-4823-44c2-b21f-a105f85ed9a0
-
encryption_key
DAE9E02E5E04D59D9AF2AA1D5E82248D5919AC6A
-
install_name
Windows Service.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Microsoft Windows
-
subdirectory
Windows Update
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Nanocore family
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 5 IoCs
-
Executes dropped EXE 14 IoCs
-
Loads dropped DLL 19 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Maps connected drives based on registry 3 TTPs 3 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 5 IoCs
-
Drops file in Program Files directory 42 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe"C:\Users\Admin\AppData\Local\Temp\CFB1EE668FC3E25580C334AB753749D2EF5A44AB9BE1E033047345827696CBF8.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Service Host.exe"C:\Users\Admin\AppData\Roaming\Service Host.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Service Host.exe"C:\Users\Admin\AppData\Roaming\Service Host.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Microsoft" /tr '"C:\Users\Admin\AppData\Roaming\Windows Microsoft.exe"' & exit4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Windows Microsoft" /tr '"C:\Users\Admin\AppData\Roaming\Windows Microsoft.exe"'5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD78A.tmp.bat""4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 35⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\Windows Microsoft.exe"C:\Users\Admin\AppData\Roaming\Windows Microsoft.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Roaming\Windows Microsoft.exe"C:\Users\Admin\AppData\Roaming\Windows Microsoft.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Windows Help.exe"C:\Users\Admin\AppData\Roaming\Windows Help.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Help.exe"C:\Users\Admin\AppData\Roaming\Windows Help.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\Windows Help.exe"C:\Users\Admin\AppData\Roaming\Windows Help.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\Windows Help.exe"C:\Users\Admin\AppData\Roaming\Windows Help.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Help.exe" /rl HIGHEST /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\Windows Update\Windows Service.exe"C:\Users\Admin\AppData\Roaming\Windows Update\Windows Service.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Roaming\Windows Update\Windows Service.exe"C:\Users\Admin\AppData\Roaming\Windows Update\Windows Service.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Update\Windows Service.exe" /rl HIGHEST /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
-
-
-
C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\WinOptimizer.18.00.18.Portable.exe"C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\WinOptimizer.18.00.18.Portable.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
-
C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\stubexe\0x27455F3DAFB1B6BB\WO18.exe"C:\Program Files (x86)\Ashampoo GmbH & Co. KG\WinOptimizer Portable\Ashampoo WinOptimizer 18\local\stubexe\0x27455F3DAFB1B6BB\WO18.exe" /864A627C-C6B2-464A-AA13-25D62F282BD83⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32B
MD5e9c97ae79ab745cb66ce05e1a9ab20df
SHA19f9e33533ff2008e10e6a29bff98d67a5517eeb8
SHA2569feb599169c871c8245c5fcc3168cc9f75d8e2bb1770d6ccd63e8bdb474b335a
SHA512c7f5f4225ef1e530fafbc7413bbf663997adb8fb45a5c1ed18be26b021fa26777b11d8cd64733d229548da592fccd0a8dce0e63bf2982e8055235e0c358878ce
-
Filesize
32B
MD58772df039500fd01f9bd0d50e8484c6c
SHA187b9bbb4964e7bff7ae01723dd3a5da26300b65e
SHA25610f0eaedaddfd5b9cc6b68a02b8c48a033ceea67e21f69ff83b65385ba7266f6
SHA51267cea5476f0c0fb3a91887cc78d8a64b69bce1db18101594a89782a5282bff2b304a4613005f74daad48e2432c70e48ac40e4dc948e02efb79a356a4899b8da5
-
Filesize
12KB
MD5c350eae76e3c20d66b2522db203cf62b
SHA16ebc61a00a96680dc9c77ae83751d37a574149a5
SHA256ae4ffb5bbe1a233d88af0881b7c077e937c5356e345e3bbee449e2fcff078069
SHA5122963d40f1662771f5ecc445f5f3f2d07d5cfb9de782ed064abe2d818621e1a80e05446a5a43eec35f01990a0fd758dfcda09d55317f2d16bea29bec19df5d70b
-
Filesize
2KB
MD5001c17ae908669a87412127f4ecc819b
SHA1fd355882b356a352207f7b3119527dc488376c61
SHA256b1d8c621fe0e755ba42e7bd18c1639e49122e73ddb46bc8a7fc4e60808a672ce
SHA5122c7a596198901b1a8803de59a7f4b768ad7f967a170e6ecb6373544a77f74468005f16cdd0ec00251f6319fd0f2fd7cdb9724ec18799b98f506867a7510b284f
-
Filesize
16B
MD5ec3d19e8e9b05d025cb56c2a98ead8e7
SHA1748532edeb86496c8efe5e2327501d89ec1f13df
SHA256edb7be3ef6098a1e24d0c72bbc6f968dea773951a0dd07b63bad6d9009ae3bf4
SHA512175fb8432472b6795bb5db0eba61bc7b57331720825df5b048f3086815ba844df4f7e83e42ff9e8fe5ab01700675a774cb916677953d6e0088ffbf1fa2775349
-
Filesize
6.5MB
MD5866899fee33d7381f370ce6b8233b087
SHA19488c2bf2cf59618c0e89c033c6d7e4ee41ae62b
SHA25699325f07cecd3f109ba2b6a1f160850ea6602900590d12718a223b1d88ea52bf
SHA51281d7f9d9c4dee2119157a6f379d895c4933bce386ed053f6f62581defd61584788c1e3089f41daade64457166e6b94c054dcea70f461bdec30c6f5fe5555b9ee
-
Filesize
621B
MD520860011495f1ffbdf13364972c18325
SHA13f060dbca2865e6b126a2c57cfdfae13ea6a5051
SHA256a8484d149c9ea151f2dfb337bce84c486678a88549ef243abf1199f0adb0bb2d
SHA512bc6bc69ad7b09543f1ebee2a658d151f89a32c61f4fd75558c461da6622b03d2c49e67aab4f54dedc7862e18903a605208bad94bb7186bb1853a625b2c64bba5
-
Filesize
632B
MD5bb0fd220a11c9083c19e432ff91dc842
SHA1f88e500302e91645ee6894dbc599a8ac09b54030
SHA256dcd7ddf6a1a7a5dcdf0502012331f9994e6a17ea4bac1603d15492b243a7dde4
SHA512019622e05728c73d6c0d014cbe4595e25f6ac919d30aae5bfc1e52c0f1b51a2f510f9097733f64e744f7a6fb0b131ce796db5f7866363d762a99ba4b64b0b765
-
Filesize
379B
MD573102579f0cc3777bdd0ba96bab8d6f4
SHA108512e731aed9cdfeebf2e8fdc24a35ea23e3477
SHA25603c937a5aba7fd7eab8ae959606ea4598e474da06b7ec63701255e7325a9e435
SHA512e3928e509d852ae8f62b6378f984013345ddff9f5073e77323703acf20ca44bebff1753f09e7343cd948559bcafe766edce38e767efc5e7e7a5fd42c37be2e13
-
Filesize
161B
MD5040e1463199cd2e836876675dfbb17db
SHA19c00a252cd8839c8224f8b0dd84f0a8a9302e59e
SHA25656d247d26f8373989a5df7cf7aceac5c1a61106fcd98b0155b72183d4366d608
SHA512eb7732061c99bfce7efecca0e71110c07675ad01157eb78b26ed40514e93d61b960a9b222d65ef6a9bf77437af90136ec4744ae5b1bce567c6d8fd7e08bc31c8
-
Filesize
259KB
MD5eca239a4923b4a96c2ed6a0805dd86dd
SHA101c57f3ac452857996accd616cc94b11a0fa4ade
SHA256edc445d791e148aae429f8a06d414b2b57fe3f47fab4f2fd2bd8fac73e4acdc4
SHA51249eef0f03a2d49d6add7368760c45b983414166ada6423e928bf36123229bbc6360ed6dc930da00e3bb5f4913698716c54fdd0fcd2715fe42c5e9b2d08d7260d
-
Filesize
101KB
MD55552da494eb603d395bd867989de69b1
SHA1bb4054c6db453a73c7c34d6f5f15cdf1a111252f
SHA2564ed7dbbe202873552598491aa2cd5c3b734514add487ff1c2f16c54d1d8852b2
SHA512722bf80731b8ca14e995b1a6a77ac1a2889af2e5de58b7c2876b1363049f664017106499b0e0c2b65b144ac34711041e00c805f13f7588049c377dc2a20d6ec7
-
Filesize
28KB
MD5a42c7fe90cd110ed7b73e2795d68080c
SHA16ef8b052120331562d38d2eceb35bf6e1bc7674a
SHA2566bf9fe450845361706dd331a02ff51dcb21b4df9be2387af43be690ad4189bb5
SHA512e4ae00e77454c8b25a47d4cf15aa46bce68f7fbd0bcc8bd42c3ad6a0d224736dfe42d04a1be7daaa3437b2c99aa6be0fb3ed2867ddae7a7d455f1b44139394ce
-
Filesize
558KB
MD553992ebaadaca513d4a606f7bd349157
SHA145fe4a2a83ae6d8f334687969a85be4ff3cbaf05
SHA256fb0d11b408ec7a227f03afd2b28d9759d4fb2bed11273a6dcd6ab5e7772ad2b9
SHA512be4b732720805c11b069a5bb96d498b41172ebc74172fd84b75bb65ef10bc580e417dd5a108cdac0615d590e58debe414e8e1b259dbbc1e91c39cff4b9071130
-
Filesize
128KB
-
Filesize
584KB
-
Filesize
80KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
4KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
80KB
-
Filesize
584KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
6.9MB
-
Filesize
224KB
-
Filesize
6.9MB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
40KB
-
Filesize
120KB
-
Filesize
40KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
80KB
-
Filesize
4KB
-
Filesize
288KB
-
Filesize
4KB
-
Filesize
80KB
-
Filesize
128KB