Analysis
-
max time kernel
4s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
31/03/2025, 02:02
General
-
Target
Downloads.exe
-
Size
11.1MB
-
MD5
03443b92e798c949af90c1afc59be60b
-
SHA1
a860455aa51306f6563ec1091db8bbebb1afc672
-
SHA256
da88e9a029e6335e992a131cd0e4cc60c28a3cdad23d628d54db770ee694ace5
-
SHA512
eaf0ff832c28c06d413e6200538f4f3d264c919850eee72a9f9cccd3480a07aeff0ae8bc2d00af8ab66924707e7aca8cf0c237ca2e157478271ef5d68d9764b3
-
SSDEEP
196608:zzXuVy7rxVoq0Rw3b/kiZOjI5oiYwrFdF8jr1N6NforhRiVtl7X/LDouPs1sjPPZ:eopVofYjxFYwrFdFK1N8fo2VL7vLDQqZ
Malware Config
Extracted
asyncrat
0.5.8
Default
197.48.105.157:5505
41.233.14.164:5505
197.48.230.161:5505
102.41.58.213:5505
RW4mawavalFO
-
delay
3
-
install
true
-
install_file
svchost.exe
-
install_folder
%AppData%
Extracted
quasar
1.4.1
Office04
102.41.58.213:5505
1e97a2db-0622-4c39-84ac-2f640c70aaf5
-
encryption_key
1F6CCF154B4C85A58D675CA9A482E9C7A041C879
-
install_name
svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svchost
-
subdirectory
SubDir
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Detect Umbral payload 2 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 2 IoCs
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Umbral family
-
XMRig Miner payload 2 IoCs
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Async RAT payload 1 IoCs
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 5 IoCs
-
Drops file in System32 directory 2 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Downloads.exe"C:\Users\Admin\AppData\Local\Temp\Downloads.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\v2.exe"C:\Users\Admin\AppData\Local\Temp\v2.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Windows\system32\SubDir\svchost.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\DellTPM.exe"C:\Users\Admin\AppData\Local\Temp\DellTPM.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DellTPM.exe"C:\Users\Admin\AppData\Local\Temp\DellTPM.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Local\Temp\xmrig.exe"C:\Users\Admin\AppData\Local\Temp\xmrig.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.0MB
MD5d735b955e73cd77ea538c8a07b92fb77
SHA1b0a258aa1898bc3a7ae150ca5a7c75f1110ecdf5
SHA256faffb319345d200a558403952e5471bb9087769778a5a79cbeef7668c8097289
SHA5123b36c2a7d877dfc156ba800bd2bdd6a1d51f8aed08511082c097051e1c1e10275f278f4020c7d7d668f3a62c42a6cfddc36070dde1c9ba22ba015f87c3e410bf
-
Filesize
231KB
MD5cb74e74c04357a7f8c0df2277c4248f0
SHA11bc3fedce9f5e6a71b7e493699cb3774b8042c18
SHA256d1734e1266ee9ae362168458054123674211b0bd40ca93732114735886a12895
SHA512c62322e61bcec1f2efe4736f73df73fd256c8a2361599b7c270521966cdba38a800a8f30b67748a06753c46904f470c087f748c85f1251ace0cab888e5b4af31
-
Filesize
1.8MB
MD52a4aad7818d527bbea76e9e81077cc21
SHA14db3b39874c01bf3ba1ab8659957bbc28aab1ab2
SHA2564712a6bb81b862fc292fcd857cef931ca8e4c142e70eaa4fd7a8d0a96aff5e7e
SHA512d10631b7fc25a8b9cc038514e9db1597cec0580ee34a56ce5cfc5a33e7010b5e1df7f15ec30ebb351356e2b815528fb4161956f26b5bfaf3dce7bc6701b79c68
-
Filesize
2KB
MD51cdbd472c68d1f35a20e0fadeff45af3
SHA13a40e0bd82550ee2eb3faec4232aa118f36b0276
SHA2566e4c57c72f39daff5ec37ded92939d18da3179ccb3acaa4a54358dc86758d422
SHA51275d97da51e23bb896a1ab024c85116b29ae8d2a10a2335768ea33a1f9b1cfbcf31c5c3f81b8275226e2aa4e44db55fec3c6d91a3055f380f63e4ae6325782ac1
-
Filesize
45KB
MD5c4484c446e4151680918c3564a6e7eca
SHA1ad142d75ffd178efbf556726392d69f735506466
SHA256f4d8d8829ff73a9c12e508a6f37d8a2e97f8cd9673d2d471d2c9c7af843db3a0
SHA5121726d8493d8897c8165c2e1aeee1df699e1cc3b42836345af0f9b4e486daaea679421f26908518d57bb5ca3c7ff7460c914233847719909119519fa9175de247
-
Filesize
3.1MB
MD544bf522a553e8fde9a377f75fde20442
SHA10f9cb72fe60c334f6aa0c6ae642f5d9867a4ff8e
SHA2561467681b3b224b5447b70e54088ded2dd27ca04ea5f27f14dfe6ce8369ad73b7
SHA512f72c59872ed8954d7ec4ab3e109c19bb7b2a750b1e7041a0aff9b38f0726d5bbaedc364f549a401c9f827d988521204f5c765ef286ff8d9d609ca4e1e5886879
-
Filesize
6.1MB
MD5f6d520ae125f03056c4646c508218d16
SHA1f65e63d14dd57eadb262deaa2b1a8a965a2a962c
SHA256d2fcf28897ddc2137141d838b734664ff7592e03fcd467a433a51cb4976b4fb1
SHA512d1ec3da141ce504993a0cbf8ea4b719ffa40a2be4941c18ffc64ec3f71435f7bddadda6032ec0ae6cada66226ee39a2012079ed318df389c7c6584ad3e1c334d
-
Filesize
128KB
-
Filesize
6.4MB
-
Filesize
256KB
-
Filesize
3.1MB
-
Filesize
72KB