Overview

overview

10

Static

static

10

Nursulan Crack.exe

windows10-2004-x64

10

Nursulan Crack.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    3s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250410-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/04/2025, 10:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Nursulan Crack.exe

  • Size

    63KB

  • MD5

    45a29490589e6635ab2734cf38e47c62

  • SHA1

    69aa8013c4ed1616442077aa4995f4cb1f209cee

  • SHA256

    dbbc3b014153cb0742cc5386136f347b3ad61eb539524d8e925a8a28a23cc73d

  • SHA512

    e67d536411faf00e9f62ac6a39991902641bba38e54c6c2581251300545b52177ac35647a1d2e4f502a9864d722ba21ca5b14184a6abf518256397d9570354bd

  • SSDEEP

    768:O1fwJdXHF378LAC8A+XPfXssq8nXhllT9SzGo1+T4/SBGHmDbDFpP0oXNMJSuxkP:kUFBXn9TUzRcYUb3P9mguxkpqKmY7

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:3232

Attributes
  • delay

    2

  • install

    true

  • install_file

    Nursulan cRack.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nursulan Crack.exe
    "C:\Users\Admin\AppData\Local\Temp\Nursulan Crack.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1500
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Nursulan cRack" /tr '"C:\Users\Admin\AppData\Roaming\Nursulan cRack.exe"' & exit
      2⤵
        PID:4928
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "Nursulan cRack" /tr '"C:\Users\Admin\AppData\Roaming\Nursulan cRack.exe"'
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2716
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp700F.tmp.bat""
        2⤵
          PID:5384
          • C:\Windows\system32\timeout.exe
            timeout 3
            3⤵
            • Delays execution with timeout.exe
            PID:2788
          • C:\Users\Admin\AppData\Roaming\Nursulan cRack.exe
            "C:\Users\Admin\AppData\Roaming\Nursulan cRack.exe"
            3⤵
              PID:5552

        Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Nursulan cRack.exe.log
          Filesize

          871B

          MD5

          d58f949aad7df2e7b55248bfdfc6e1b8

          SHA1

          6713cad396b5808b66ede2dd9b169e00d5e5018f

          SHA256

          5e1611e4d915fd9759825811fa4463f09172889f85889a2942be1561948fab8a

          SHA512

          bdddb838108c4f3f0a7737703cbde935fe26aaea97459bb099c4c773c0789997283d7f20ac7ea4ac2aedef23515afc0b251b5b461aa12d3b7a60846b87b26e38

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmp700F.tmp.bat
          Filesize

          158B

          MD5

          347dee18846bb24c820b4b4e33b5b1b9

          SHA1

          14410922fbd73e1157a998183e6f5ce211636a8b

          SHA256

          1143445e4c8e7440abb0f7cf125c8f7c0af0e1d9e1bbcaf9cd4019713317d887

          SHA512

          86d0f6c6c67eb80bdd1c23a950b82d8975184e442dfa131228b6d302ee01420126af3b4b5cfd6e570bf99539ecf4ebdc1fe22c606a7a302e3d5aa2a11013b3a7

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Nursulan cRack.exe
          Filesize

          63KB

          MD5

          45a29490589e6635ab2734cf38e47c62

          SHA1

          69aa8013c4ed1616442077aa4995f4cb1f209cee

          SHA256

          dbbc3b014153cb0742cc5386136f347b3ad61eb539524d8e925a8a28a23cc73d

          SHA512

          e67d536411faf00e9f62ac6a39991902641bba38e54c6c2581251300545b52177ac35647a1d2e4f502a9864d722ba21ca5b14184a6abf518256397d9570354bd

          Download Submit

        • memory/1500-1-0x0000000000420000-0x0000000000436000-memory.dmp

          Filesize

          88KB

          Download

        • memory/1500-0-0x00007FFE33363000-0x00007FFE33365000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1500-2-0x00007FFE33360000-0x00007FFE33E21000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1500-8-0x00007FFE33360000-0x00007FFE33E21000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1500-7-0x00007FFE33360000-0x00007FFE33E21000-memory.dmp

          Filesize

          10.8MB

          Download