Analysis
-
max time kernel
299s -
max time network
298s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
24-01-2025 13:09
General
-
Target
https://drive.google.com/open?id=1SiPYS7dOCqZL-RA623kuWfn_3-qYOBlu
Malware Config
Extracted
asyncrat
0.5.7A
SERVERDISCOTEK
discotek.duckdns.org:6606
cjebudnuemhbsoyv
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Drops startup file 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of FindShellTrayWindow 34 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/open?id=1SiPYS7dOCqZL-RA623kuWfn_3-qYOBlu1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc06ee3cb8,0x7ffc06ee3cc8,0x7ffc06ee3cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,15191067710798504481,2310091382342824040,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1832 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,15191067710798504481,2310091382342824040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1872,15191067710798504481,2310091382342824040,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2592 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,15191067710798504481,2310091382342824040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,15191067710798504481,2310091382342824040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,15191067710798504481,2310091382342824040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1872,15191067710798504481,2310091382342824040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1872,15191067710798504481,2310091382342824040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,15191067710798504481,2310091382342824040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,15191067710798504481,2310091382342824040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,15191067710798504481,2310091382342824040,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,15191067710798504481,2310091382342824040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,15191067710798504481,2310091382342824040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4904 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,15191067710798504481,2310091382342824040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,15191067710798504481,2310091382342824040,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,15191067710798504481,2310091382342824040,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5052 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap16061:194:7zEvent2411⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\EMISION Y ELABORACION, FACTURA ELECTRONICA APROBADA, RD 9065412254.exe"C:\Users\Admin\Downloads\EMISION Y ELABORACION, FACTURA ELECTRONICA APROBADA, RD 9065412254.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Downloads\EMISION Y ELABORACION, FACTURA ELECTRONICA APROBADA, RD 9065412254.exe"C:\Users\Admin\Downloads\EMISION Y ELABORACION, FACTURA ELECTRONICA APROBADA, RD 9065412254.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Downloads\EMISION Y ELABORACION, FACTURA ELECTRONICA APROBADA, RD 9065412254.exe"C:\Users\Admin\Downloads\EMISION Y ELABORACION, FACTURA ELECTRONICA APROBADA, RD 9065412254.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5aad1d98ca9748cc4c31aa3b5abfe0fed
SHA132e8d4d9447b13bc00ec3eb15a88c55c29489495
SHA2562a07cac05ffcf140a9ad32e58ef51b32ecccf1e3ab5ef4e656770df813a8944e
SHA512150ebf7e37d20f88b21ab7ea0793afe1d40b00611ed36f0cf1ac1371b656d26f11b08a84dbb958891c79776fae04c9c616e45e2e211d292988a5709857a3bf72
-
Filesize
152B
MD5cb557349d7af9d6754aed39b4ace5bee
SHA104de2ac30defbb36508a41872ddb475effe2d793
SHA256cfc24ed7d1c2e2c6585f53db7b39aa2447bf9212487b0a3c8c2a7d8e7e5572ee
SHA512f0cf51f42d975d720d613d09f201435bf98c6283ae5bc033207f4ada93b15e49743a235a1cfb1b761bde268e2f7f8561aa57619b99bff67a36820bc1a4d0ec4a
-
Filesize
480B
MD5c070b587a97a66d9a4f60213ad47cb69
SHA1fc19e323aa8b0586568f6ca7d0bac70c7ccc863f
SHA2561f9a8c5e39a590f5dc8d5f057affe57b09f50ca989e71f3ea1e0d0778edd0ed1
SHA51202825d5c26ab6903515e7146b3375043916eee55b89a2643976cee4315a2ffbc85d5573b6134574ad3301303f69e99d5bb6921c07b52212d1585db6e4a18d263
-
Filesize
3KB
MD5ee5f5d8e864ea0f54f8dff18b609d886
SHA159fce37696194f19dc07914197efba86919a6320
SHA2566f33a3ca2d10542f83f0e766e0950fc060716a5daea21f28ce9a7ccf62268afb
SHA512b9a01c787a86c7908056e41f9c18ac7ed5069e8aff4c009f6465119abdcdde4dc5a58fc80d2a9a819eee9f5658e467fb5dea0601e63ec1ab9e05fefcaff92bed
-
Filesize
3KB
MD5ec220d87d6f6e5382d09164e2fd58008
SHA19a7dbb75e1ee29c1b25c2410bb96d7e2e9516e82
SHA2565255d964729d588840f33f7c4095cf04a13c7e699d58798eca1ea4089ddd75c2
SHA5123a8a445e1478d059fe0e7517063c4a450f910792e1b644cb16fff8cf8e7c62b3b5a73832ca932faa1b25738e4afabdf32662e111eb8c467ef736ffb478b56df2
-
Filesize
3KB
MD5251a789ae06239b12a59da8c583791b8
SHA14045d5609a7636151b0b79a5ffcf1420d9216e3c
SHA2562fa8e19b6bfd5aa9bb8cacc0c75b9f52408715d6edc5a98e6d2a11baa41f2443
SHA5121544daf8b967303771a87b04ece2dc945d37ccb2c84acfad94c99340fb5269be4b931967bc569a5239c3d6039f688d6ceb51e121f5d77507a668c2a727397bcc
-
Filesize
3KB
MD5619c26c8ffad887e398c1c0ad15965e8
SHA19402ee5d0317493e5beda6ef8773f607897902bd
SHA2567b5bc3dd5c2640bca83384ce8d059dd43cba55ffe6d8736915a3311384bcbe0d
SHA512d186aff4708098ab9ee92b0011f0397e1663be67449bdc9e19e464743a61d64e61ddb45f796f99a813e8a16f43d573e703d948cec9c3c81a074955edc3c4d754
-
Filesize
6KB
MD5efc443dc2d1f88fbb9d377a48a3929c7
SHA1e833f377524d77e9a791dcd6ee41afb3d8943d2c
SHA256089a26877e9920e6854432f48e886cd96d3529effd0cadbdc523bb737c2f17ed
SHA512e57a3344b8b96632243f1449a7ae9a9e0e97dab84f19d2a32f1bc104b8000b0c6081ed97e21956f2abf3b393ea316bbf32fee6e21406d6db4b3d1c1ec5d2cfc3
-
Filesize
5KB
MD5c3d7ac94cad98c41e8eceaa909947812
SHA1de479f37b5a5c2f929226825696efbccbe7e7f03
SHA25638203d21dfc77a941c624785bbaf727c41d3af37853b7047652cfe8b626770ba
SHA5123dfb5ddabc02ece73da7090725df0231cb748df8829b5fc375b13a543e16af9bd851fb4448690a13efa2b8ea9662d665db1be4dc44b284e4b1cf4a81f2a3bf1f
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5eb4f1a9d169709746e6da0e007493621
SHA13ff90665bf7fd556d42cabf706a19c8019bc5d96
SHA2565a48948616e1225d3090b61bf7bc5cc576b3ce85755cdde487896dc2ec2c4b2c
SHA51212b2cfc48bfedd2d595d92c7585c9ba4fbce4812e1269b95925d145f5aeb00400d8258f8b865dc3d9dea21086e33162007e4ab8993e5ce6acb65752e37dfaa1d
-
Filesize
10KB
MD5f98f31636f1383cfefcf88c5ccf3fd4d
SHA1a0664e138b712e4def78997ec38b1e39f6e5f8ab
SHA2565fffe5a9bcae51085c4bb61ad2a343c0ea4c23cad5bb303a2bea09e0b5b16c71
SHA51219b47f933d7cf34783d4f4c03a167139ad6124283b51d0f41cee4a2d0badb802cbcfc93060173af12e68971b3b4b00394ccd1de9064abb43039e2b04c9b9e358
-
Filesize
1.4MB
MD5ceca5338efefd5ab6950dd33126099e9
SHA1e95248f41489259e6e38751588473a3d37ce8b36
SHA25679a23e29085113b45b0f15563b1884dd9c62eb89903898c253bdd111c99478b3
SHA512aa8d26596e01211259b0771448f91703ad549640d3c9c8b6d4abc2225979b2c6e190d98ab7b65bec444057c3ddd0fb83235fd20a57a34450803f971d71e213be
-
Filesize
186B
MD53e5ecb17b01e436b1f649a8a0ae85ba6
SHA1d5e88498a0f11981cadc6d457a4b4af5ce51537d
SHA256e91a22f3acd9da339ed7fcf9fc3431391e76a4dd1c43e1cf02aebfcaae14f6a7
SHA512330e22bbb32604fd897d558e4abd2a3f087b292194f8d64149e5ce90c177bbe1783c7ea3d9cffffc4d1f6dc2c7de8a45372f227fad56eeab3aa1b466dc7fd636
-
Filesize
1.1MB
MD5a83cbb03d0b0aad8ac1bd520255f0ca5
SHA10e97977fb7b697a0c8f56cde9b965f41b1f83b29
SHA2568ef267c43563c355736912d5af771681de4f6c7dc732eecbbff8445a4bd4b1eb
SHA512e040cfc8129bc4419c8d190ecceb7f5bcc0a7ef46cae6e17953c1314d75c6ebd258ca5acf58703ac6bc31638bf894f794a39bac59e7ff0500be479979819dcf8
-
Filesize
1012KB
-
Filesize
1012KB
-
Filesize
1012KB
-
Filesize
1012KB
-
Filesize
1012KB
-
Filesize
1012KB
-
Filesize
1012KB
-
Filesize
1012KB
-
Filesize
1012KB
-
Filesize
1012KB
-
Filesize
1012KB
-
Filesize
1012KB
-
Filesize
5.6MB
-
Filesize
1012KB
-
Filesize
1012KB
-
Filesize
1012KB
-
Filesize
1012KB
-
Filesize
1012KB
-
Filesize
1012KB
-
Filesize
1012KB
-
Filesize
1012KB
-
Filesize
584KB
-
Filesize
1012KB
-
Filesize
1012KB
-
Filesize
1012KB
-
Filesize
1012KB
-
Filesize
1012KB
-
Filesize
1012KB
-
Filesize
1012KB
-
Filesize
1012KB
-
Filesize
1012KB
-
Filesize
1012KB
-
Filesize
1012KB
-
Filesize
1012KB
-
Filesize
1012KB
-
Filesize
304KB
-
Filesize
360KB
-
Filesize
368KB
-
Filesize
336KB
-
Filesize
1.4MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
1.0MB