Analysis
-
max time kernel
293s -
max time network
300s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
18/01/2025, 02:26
General
-
Target
tmp9D39.tmp.exe
-
Size
65KB
-
MD5
5855063b0ae049847b1d9eeced51a17b
-
SHA1
17cab3ae528d133d8f01bd8ef63b1a92f5cb23da
-
SHA256
62f8cfee286a706856ebe02b176db9169ae776c6609c23016868887ea6b0ab98
-
SHA512
c24970775e8da3f46763824b22fbccdbd2741836cdc3bd9966ef639db8db28cb1b888875da2babab037df6e26e5774f475f55ba10b6f354504185de4d5f4713f
-
SSDEEP
1536:VjTDKqibq1iqHNTcNbRn8smHeC403WAx:VjTDKqibq1iqH6NbRnyt39x
Malware Config
Extracted
Family
asyncrat
Version
A 13
Botnet
Default
C2
163.172.125.253:333
Mutex
AsyncMutex_555223
Attributes
-
delay
3
-
install
false
-
install_folder
%AppData%
aes.plain
Signatures
-
Asyncrat family
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp9D39.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp9D39.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp9D39.tmp.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1096 tmp9D39.tmp.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4380 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 3036 msedge.exe 3036 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1096 tmp9D39.tmp.exe Token: SeDebugPrivilege 4380 taskmgr.exe Token: SeSystemProfilePrivilege 4380 taskmgr.exe Token: SeCreateGlobalPrivilege 4380 taskmgr.exe Token: 33 4380 taskmgr.exe Token: SeIncBasePriorityPrivilege 4380 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1096 tmp9D39.tmp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3036 wrote to memory of 4204 3036 msedge.exe 94 PID 3036 wrote to memory of 4204 3036 msedge.exe 94 PID 3036 wrote to memory of 2156 3036 msedge.exe 95 PID 3036 wrote to memory of 2156 3036 msedge.exe 95 PID 3036 wrote to memory of 2156 3036 msedge.exe 95 PID 3036 wrote to memory of 2156 3036 msedge.exe 95 PID 3036 wrote to memory of 2156 3036 msedge.exe 95 PID 3036 wrote to memory of 2156 3036 msedge.exe 95 PID 3036 wrote to memory of 2156 3036 msedge.exe 95 PID 3036 wrote to memory of 2156 3036 msedge.exe 95 PID 3036 wrote to memory of 2156 3036 msedge.exe 95 PID 3036 wrote to memory of 2156 3036 msedge.exe 95 PID 3036 wrote to memory of 2156 3036 msedge.exe 95 PID 3036 wrote to memory of 2156 3036 msedge.exe 95 PID 3036 wrote to memory of 2156 3036 msedge.exe 95 PID 3036 wrote to memory of 2156 3036 msedge.exe 95 PID 3036 wrote to memory of 2156 3036 msedge.exe 95 PID 3036 wrote to memory of 2156 3036 msedge.exe 95 PID 3036 wrote to memory of 2156 3036 msedge.exe 95 PID 3036 wrote to memory of 2156 3036 msedge.exe 95 PID 3036 wrote to memory of 2156 3036 msedge.exe 95 PID 3036 wrote to memory of 2156 3036 msedge.exe 95 PID 3036 wrote to memory of 2156 3036 msedge.exe 95 PID 3036 wrote to memory of 2156 3036 msedge.exe 95 PID 3036 wrote to memory of 2156 3036 msedge.exe 95 PID 3036 wrote to memory of 2156 3036 msedge.exe 95 PID 3036 wrote to memory of 2156 3036 msedge.exe 95 PID 3036 wrote to memory of 2156 3036 msedge.exe 95 PID 3036 wrote to memory of 2156 3036 msedge.exe 95 PID 3036 wrote to memory of 2156 3036 msedge.exe 95 PID 3036 wrote to memory of 2156 3036 msedge.exe 95 PID 3036 wrote to memory of 2156 3036 msedge.exe 95 PID 3036 wrote to memory of 2156 3036 msedge.exe 95 PID 3036 wrote to memory of 2156 3036 msedge.exe 95 PID 3036 wrote to memory of 2156 3036 msedge.exe 95 PID 3036 wrote to memory of 2156 3036 msedge.exe 95 PID 3036 wrote to memory of 2156 3036 msedge.exe 95 PID 3036 wrote to memory of 2156 3036 msedge.exe 95 PID 3036 wrote to memory of 2156 3036 msedge.exe 95 PID 3036 wrote to memory of 2156 3036 msedge.exe 95 PID 3036 wrote to memory of 2156 3036 msedge.exe 95 PID 3036 wrote to memory of 2156 3036 msedge.exe 95 PID 3036 wrote to memory of 4844 3036 msedge.exe 96 PID 3036 wrote to memory of 4844 3036 msedge.exe 96 PID 3036 wrote to memory of 4424 3036 msedge.exe 97 PID 3036 wrote to memory of 4424 3036 msedge.exe 97 PID 3036 wrote to memory of 4424 3036 msedge.exe 97 PID 3036 wrote to memory of 4424 3036 msedge.exe 97 PID 3036 wrote to memory of 4424 3036 msedge.exe 97 PID 3036 wrote to memory of 4424 3036 msedge.exe 97 PID 3036 wrote to memory of 4424 3036 msedge.exe 97 PID 3036 wrote to memory of 4424 3036 msedge.exe 97 PID 3036 wrote to memory of 4424 3036 msedge.exe 97 PID 3036 wrote to memory of 4424 3036 msedge.exe 97 PID 3036 wrote to memory of 4424 3036 msedge.exe 97 PID 3036 wrote to memory of 4424 3036 msedge.exe 97 PID 3036 wrote to memory of 4424 3036 msedge.exe 97 PID 3036 wrote to memory of 4424 3036 msedge.exe 97 PID 3036 wrote to memory of 4424 3036 msedge.exe 97 PID 3036 wrote to memory of 4424 3036 msedge.exe 97 PID 3036 wrote to memory of 4424 3036 msedge.exe 97 PID 3036 wrote to memory of 4424 3036 msedge.exe 97 PID 3036 wrote to memory of 4424 3036 msedge.exe 97 PID 3036 wrote to memory of 4424 3036 msedge.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp9D39.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9D39.tmp.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1096
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:3708
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4132
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4380
-
C:\Users\Admin\AppData\Local\Temp\tmp9D39.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9D39.tmp.exe"1⤵
- System Location Discovery: System Language Discovery
PID:1800
-
C:\Users\Admin\AppData\Local\Temp\tmp9D39.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9D39.tmp.exe"1⤵
- System Location Discovery: System Language Discovery
PID:3148
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\jawshtml.html1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fffc5b13cb8,0x7fffc5b13cc8,0x7fffc5b13cd82⤵PID:4204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,4219470525129801556,14220861756879368316,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:22⤵PID:2156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,4219470525129801556,14220861756879368316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1984 /prefetch:32⤵PID:4844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,4219470525129801556,14220861756879368316,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:82⤵PID:4424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,4219470525129801556,14220861756879368316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:12⤵PID:4028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,4219470525129801556,14220861756879368316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:12⤵PID:2248
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2392
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1696
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
425B
MD5bb27934be8860266d478c13f2d65f45e
SHA1a69a0e171864dcac9ade1b04fc0313e6b4024ccb
SHA25685ad0d9909461517acf2e24ff116ca350e9b7000b4eefb23aa3647423c9745b4
SHA51287dd77feac509a25b30c76c119752cc25020cca9c53276c2082aef2a8c75670ef67e1e70024a63d44ae442b64f4bc464aee6691e80c525376bb7421929cfa3bb
-
Filesize
152B
MD5e11c77d0fa99af6b1b282a22dcb1cf4a
SHA12593a41a6a63143d837700d01aa27b1817d17a4d
SHA256d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0
SHA512c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3
-
Filesize
152B
MD5c0a1774f8079fe496e694f35dfdcf8bc
SHA1da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3
SHA256c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb
SHA51260d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b
-
Filesize
5KB
MD595152c9ae5dcdbaf757a50c927276bba
SHA1bab1e80f30fe515e722c14b587ec089f8376e874
SHA2565bfb362eeb111ca00476949b230302bb4190265d668f4b8669b43080db9b118c
SHA5125aafbd1fc837a05d4acb934d40a3b90ca4b98ac5e32becfcf4ce89209abbe5c7ce706eb70f7f6f3f625f4d32c3c9d954672c9f84698ad7bd601248f1ec9b4935
-
Filesize
5KB
MD59c134b2a960791dfed7cbc73e7d60cc6
SHA1b938524ea80dab62d59dd0245bc33cd2baa6385d
SHA256490e0e1fccfcbde0281e97b117fe2e04dfb7bf4342a1dad373b49da3390b5871
SHA5124ea0ec37e869e40024adc9eff79403b5d6538d674e7ce90f2913b38ff445f6a8ddc22d8b533d90ef1e410a12c568c5142c3965ef0de2de05dde575b8ea1499d6
-
Filesize
10KB
MD5f1b7253c14a507794f8215aa836e7305
SHA1a0a26e3cb2bb1a33c6868449dbd97fff7e7b8c0c
SHA256fc6bf22ade4b01777ce6faed074ab6e0cceaed2d0d9a1ea6ef215b7c1c706839
SHA512463ca2570bf6a8385ca7d7dcfd0b525531f964d162c4f05020901b944d24622f29f87d474a335c2a544477ba2035508b60d0f9cfb346b6678f8cc6eda085bf91
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58