Edit tour

Windows Analysis Report
Iu4csQ2rwX.msi

Overview

General Information

Sample name:	Iu4csQ2rwX.msi renamed because original name is a hash value
Original sample name:	6d3f68d31efc5fc456850af228427c25.msi
Analysis ID:	1431500
MD5:	6d3f68d31efc5fc456850af228427c25
SHA1:	487fcaaab61ce4e76d6a1e2568cf3602a5f6632b
SHA256:	147f810affa8a7f95cc8a15cc5918933d3cf430232e132b340180d3878951974
Tags:	AsyncRATmsi
Infos:

Detection

AsyncRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AsyncRAT

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for available system drives (often done to infect USB drives)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 2312 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Iu4csQ2rwX.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 1344 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 6892 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 49FA398F3E264BE26A418C8408A7EA4A MD5: 9D09DC1EDA745A5F87553048E57620CF)

icacls.exe (PID: 7180 cmdline: "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\." /SETINTEGRITYLEVEL (CI)(OI)HIGH MD5: 2E49585E4E08565F52090B144062F97E)

conhost.exe (PID: 7188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

expand.exe (PID: 7232 cmdline: "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files MD5: 544B0DBFF3F393BCE8BB9D815F532D51)

conhost.exe (PID: 7240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mafiachroom.exe (PID: 7300 cmdline: "C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe" MD5: 6E7EBD37B6095CB1A2F3FFA9D5598C81)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "127.0.0.1,twinks234.duckdns.org,", "Port": "6606,7707,8808", "Version": "AWS | 3Losh", "MutexName": "mafiaEXE", "Autorun": "false", "Group": "true"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Iu4csQ2rwX.msi	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Iu4csQ2rwX.msi	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x4d4f0:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x17a20c:$a2: Stub.exe 0x17a29c:$a2: Stub.exe 0x49ba7:$a3: get_ActivatePong 0x4d708:$a4: vmware 0x4d580:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x4abd8:$a6: get_SslClient
Iu4csQ2rwX.msi	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x4d582:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\Installer\6c70ae.msi	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
C:\Windows\Installer\6c70ae.msi	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x4d4f0:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x17a20c:$a2: Stub.exe 0x17a29c:$a2: Stub.exe 0x49ba7:$a3: get_ActivatePong 0x4d708:$a4: vmware 0x4d580:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x4abd8:$a6: get_SslClient
C:\Windows\Installer\6c70ae.msi	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x4d582:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files.cab	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files.cab	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xd4f0:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x13a20c:$a2: Stub.exe 0x13a29c:$a2: Stub.exe 0x9ba7:$a3: get_ActivatePong 0xd708:$a4: vmware 0xd580:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0xabd8:$a6: get_SslClient
C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files.cab	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xd582:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\19846695766e49c9ae2db4b896af4d3a$dpx$.tmp\d6568875baf18047a674d73da59f1fb3.tmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\19846695766e49c9ae2db4b896af4d3a$dpx$.tmp\d6568875baf18047a674d73da59f1fb3.tmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\19846695766e49c9ae2db4b896af4d3a$dpx$.tmp\d6568875baf18047a674d73da59f1fb3.tmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xd494:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x13a080:$a2: Stub.exe 0x13a110:$a2: Stub.exe 0x9b4b:$a3: get_ActivatePong 0xd6ac:$a4: vmware 0xd524:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0xab7c:$a6: get_SslClient
C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\19846695766e49c9ae2db4b896af4d3a$dpx$.tmp\d6568875baf18047a674d73da59f1fb3.tmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xd526:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Click to see the 5 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.4721202096.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x3a273:$x1: AsyncRAT 0x3a2b1:$x1: AsyncRAT
00000007.00000000.1669483984.00000000007C2000.00000002.00000001.01000000.00000005.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000007.00000000.1669483984.00000000007C2000.00000002.00000001.01000000.00000005.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xd294:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x13a680:$a2: Stub.exe 0x13a710:$a2: Stub.exe 0x994b:$a3: get_ActivatePong 0xd4ac:$a4: vmware 0xd324:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0xa97c:$a6: get_SslClient
00000007.00000000.1669483984.00000000007C2000.00000002.00000001.01000000.00000005.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xd326:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: mafiachroom.exe PID: 7300	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1a394:$x1: AsyncRAT 0x1a3c6:$x1: AsyncRAT

Unpacked PEs

Source	Rule	Description	Author	Strings
7.0.mafiachroom.exe.7c0000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
7.0.mafiachroom.exe.7c0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
7.0.mafiachroom.exe.7c0000.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xd494:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x13a080:$a2: Stub.exe 0x13a110:$a2: Stub.exe 0x9b4b:$a3: get_ActivatePong 0xd6ac:$a4: vmware 0xd524:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0xab7c:$a6: get_SslClient
7.0.mafiachroom.exe.7c0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xd526:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\19846695766e49c9ae2db4b896af4d3a$dpx$.tmp\d6568875baf18047a674d73da59f1fb3.tmp

Avira: detection malicious, Label: TR/Spy.Gen

Found malware configuration

Source: 00000007.00000002.4721778629.0000000002C61000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: AsyncRAT {"Server": "127.0.0.1,twinks234.duckdns.org,", "Port": "6606,7707,8808", "Version": "AWS | 3Losh", "MutexName": "mafiaEXE", "Autorun": "false", "Group": "true"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\19846695766e49c9ae2db4b896af4d3a$dpx$.tmp\d6568875baf18047a674d73da59f1fb3.tmp	Virustotal: Detection: 60%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe (copy)	Virustotal: Detection: 60%			Perma Link

Multi AV Scanner detection for submitted file

Source: Iu4csQ2rwX.msi	ReversingLabs: Detection: 50%
Source: Iu4csQ2rwX.msi	Virustotal: Detection: 44%			Perma Link

Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.42.65.94:443 -> 192.168.2.4:49772 version: TLS 1.2

Source:

Binary string: C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb source: Iu4csQ2rwX.msi, 6c70ae.msi.1.dr, MSI7206.tmp.1.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: twinks234.duckdns.org
Source: Malware configuration extractor	URLs:

Uses dynamic DNS services

Source: unknown

DNS query: name: twinks234.duckdns.org

Yara detected Generic Downloader

Source: Yara match	File source: 7.0.mafiachroom.exe.7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\19846695766e49c9ae2db4b896af4d3a$dpx$.tmp\d6568875baf18047a674d73da59f1fb3.tmp, type: DROPPED

Source: global traffic

HTTP traffic detected: POST /OneCollector/1.0/ HTTP/1.1Accept: */*APIKey: cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521AuthMsaDeviceTicket: t=GwAWAbuEBAAU2qcZHJoKGNizGOeyqM4OaIoSZ0MOZgAAEJanOM/f8BEauEo6GRqguxLgAJt0LBh1uWaBD08sPTthnLouxyOeqq8UXC40zxYtXUeuLL3jc98oc4sgTt8Qg5RgpVyPUGOqQCdIMU+jHj5jPNgpCOYLzgjk7/68jQbYqRpL5buJGDaKHJUU4Qzi5sjC1iwUwrkBZLfklCNSWdGai+iykzR0ELnFD4lJb88vZch+TXuihcRzjbZvJG6mFONQPa3ignNQpsSbQgkMM4xuASI/kaIM+YTU5dBQE1SH8k0CwZj5Yc3H1S94NyGSn+DeuALqccEE8gt3uchW9hnkYs9tmlAQt7GBc9BBk/kSpz+oHgE=&p=Client-Id: NO_AUTHContent-Encoding: deflateContent-Type: application/bond-compact-binaryExpect: 100-continueSDK-Version: EVT-Windows-C++-No-3.4.15.1Upload-Time: 1714035143184Host: self.events.data.microsoft.comContent-Length: 7974Connection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown

DNS traffic detected: query: twinks234.duckdns.org replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 23.47.204.65
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 23.47.204.65
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.94
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.94
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.94
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.94
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.94
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.94
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.94
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.94
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.94
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.94
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.94
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.94
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.94
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.94
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=dp3LT5UDBFGklVa&MD=ECx2K67C HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=dp3LT5UDBFGklVa&MD=ECx2K67C HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic

DNS traffic detected: DNS query: twinks234.duckdns.org

Source: unknown

Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443

Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.42.65.94:443 -> 192.168.2.4:49772 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: Iu4csQ2rwX.msi, type: SAMPLE
Source: Yara match	File source: 7.0.mafiachroom.exe.7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.1669483984.00000000007C2000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: C:\Windows\Installer\6c70ae.msi, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files.cab, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\19846695766e49c9ae2db4b896af4d3a$dpx$.tmp\d6568875baf18047a674d73da59f1fb3.tmp, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: Iu4csQ2rwX.msi, type: SAMPLE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: Iu4csQ2rwX.msi, type: SAMPLE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 7.0.mafiachroom.exe.7c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 7.0.mafiachroom.exe.7c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000007.00000002.4721202096.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000007.00000000.1669483984.00000000007C2000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000007.00000000.1669483984.00000000007C2000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: mafiachroom.exe PID: 7300, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Windows\Installer\6c70ae.msi, type: DROPPED	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: C:\Windows\Installer\6c70ae.msi, type: DROPPED	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files.cab, type: DROPPED	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files.cab, type: DROPPED	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\19846695766e49c9ae2db4b896af4d3a$dpx$.tmp\d6568875baf18047a674d73da59f1fb3.tmp, type: DROPPED	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\19846695766e49c9ae2db4b896af4d3a$dpx$.tmp\d6568875baf18047a674d73da59f1fb3.tmp, type: DROPPED	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c70ae.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{BE13E8ED-EE1E-41EA-93EE-21B2B781511E}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7206.tmp	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe

Code function: 7_2_029FE048

7_2_029FE048

Source: Joe Sandbox View

Dropped File: C:\Windows\Installer\MSI7206.tmp FD622CF73EA951A6DE631063ABA856487D77745DD1500ADCA61902B8DDE56FE1

Source: Iu4csQ2rwX.msi	Binary or memory string: OriginalFilenameStub.exe" vs Iu4csQ2rwX.msi
Source: Iu4csQ2rwX.msi	Binary or memory string: OriginalFilenameGoogleUpdateSetup.exe< vs Iu4csQ2rwX.msi

Source: Iu4csQ2rwX.msi, type: SAMPLE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: Iu4csQ2rwX.msi, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 7.0.mafiachroom.exe.7c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 7.0.mafiachroom.exe.7c0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000007.00000002.4721202096.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000007.00000000.1669483984.00000000007C2000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000007.00000000.1669483984.00000000007C2000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: mafiachroom.exe PID: 7300, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Windows\Installer\6c70ae.msi, type: DROPPED	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: C:\Windows\Installer\6c70ae.msi, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files.cab, type: DROPPED	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files.cab, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\19846695766e49c9ae2db4b896af4d3a$dpx$.tmp\d6568875baf18047a674d73da59f1fb3.tmp, type: DROPPED	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\19846695766e49c9ae2db4b896af4d3a$dpx$.tmp\d6568875baf18047a674d73da59f1fb3.tmp, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys

Source: d6568875baf18047a674d73da59f1fb3.tmp.5.dr, AtjEEKOEuHXUOep.cs

Base64 encoded string: 'ksQPxnES2fM8HYnhktKYQddmpNNvaPZcZXlbPq8AMWbKnoeQXFPkfKVZ8UfTiDguZfOWZMfUXSgI7Ux3e+eSPQ==', 'SgQXL2QA4L9vwixmFL+JxlZfG6w8CiqLoFBV7G5CTA/DicQG+u5K2c7VX9fxnYDGxOz0G8YT9YiLMQpmhmojdNqFs06hw1ygjn44iXtNlvF4W6GHuHxbJQCJK0mWHXKk', 'sr5Xdq1ax701VPJO+EBt6ZHFQhv3uIoSV0Ju2Ui5tbo5pZda+YCweYpmscCN+cVtHAm6niAwKAWhUZCUOm3JKw==', 'jv5uHnH//wFnNAlX7HNmfB0Jw/o6M/zg3tmOk3tWdhNPu8QqEMWxNuaUPPKUTIuE0scC4rZXJRp3DRpa8ZNLD4qYDfltUcGU3fEhfdwacUgvDumV6CIIBMIjP1hV+zwRrU1YZMWfd/z+xb2zQmTM9182ZXEM92QMuZNXzxcpGATdtnY69M0DXjhMNyqubejSfDJD3rLbiN1aU12jDV4VWFgiHv/S/OHxI8On7rkaU08/qnxDHy5qxb7TldPQwcTglySVqzBIICjoyf1CUet8tXPzi0t31Xvms9EpRkqjlGfXR2s8khdXLJbfO70aaN38UigP75kJXemV6FlDl6xCdX8SDDuQA/fVCv390SGxEWEN6bOo2gvBi86P4qfEJTodN2uoNTf5OakXJCaIhi7MhBgQ6ElEuhFmDQXmkQlh+/JBV9JdOH74laUv1c3pNXWAdhrdDCcSlHzPy1DEUXQQRhVDgwkBGo2X4D4u818VgqooyD/AP/h/jclOzYcNC7Hzzm9zd+hgQxIkDUcK7HcLL3xPUzGSbuhsDAwi7HNlPbkockc5D1LBLvXgftT7fxTMdE3Sd65Gtcrc01eKqtsZTgYT5Pp/HoSS+WS37tt4xGh9ypCnz3ZY2FzmA7RMOXz9+Ya7Iy4ckBjzxsmsk5WTNICea1BrLvlN7pllgW1bxW1xcqTNEtLrQzpwcMxYQbqu7Zqu6yOh535jDgcLdCtHsOkX6lR3R8ppI+zKxUm+7KuVR+33PY93IIRDJ0kbrbaI65WXyAVp+apX42zAGzvLusbFSb9KX7tY5D1N038vwKEfjsfieHUUXjuRuTXj2NDI/dq1ifOUo8WLn9auhVfwZ4qsxO3wIZV2Wxa5+0a7slmMjFwJmv4Ela6TXQMxOtLfAsVQHWvPDZ1dYogxKcPQ+cT8VnU8lTVihQUc1Cj6TyXG7yCp1XGVsslwbLQIzxwUsYpULIpVfhG1t/+PLNuM+ex+oUVW+JkiLcul/9LEwep3EVhPOVeK/9Sd3JYKdTVbVPhwPuTR2KVMJqPNhrFNNZQoP8WturkpLq+/TY/FMJFWu1Mf14UOryBjPu2kKA18VXM89h7JZjsWYDTvEsCaJ5yqrPm2CQ50MXeWbbE5bsAzC5ru4WBxf+o/wbvRqq9Ce7wskm2Hl9PcCYHMOHj5FxTBSSb8XkzwyjkoACAtk2x/PCBNYy/d+S4+uaJTPGnYy4sH3ml9cmvF79u8h++Jqn/ZhLgDfl7xyOYUTWueDnvRiRxsAdnfxahPHD8GC4AqJE7MvlzGMc+ZAx2PKd1u9RhEdkyOPQMLNZsAGj9XSqG/HO2+eImZ+4V8WokmDKCZP7rwkARHZPscJ9N99oOKkFeMaQ397HIo869BqUh621m9+ReUMtlW9kY2OFG1hr2ODcNP7Q8wByq7BYSrJ/n6+Ael6afm6Y7yHxxSfm31D8Zni5GV3qUZwrlzLDMGfQZ/HOX/9KVT6iLoff0YhB6hsR0XHUViJoxjB9+CaSsuviii/46jybxSA6zzl1FFjOFPU1rl6+nqxwXcfPOaKqYeRbAlhIWCVcbz3VuBTi7su5tCE+XAP3XUnZG6uyWJNjjkcac5lWUYa/xhalMUsUuueA9bNZ8ExzAyJuHnza9lvtMIMbh+Wy6I4PVtgqSaQwYxKVUMui5bAEJq9BVVud8eKWYY+ex/eS1jqUeVFm6KL5otk7hflexlTli/jYCX/V7Q/1Qx5Ao33wWjymwdiITf+pCUffG1Tjq8zUmS4uHar6AtlBE0TNB8PkfQLWfwJYBARITB7Tn2uADQYW/U1OR0GTIPbFWfsHufQm4rYKauCqjqueuu4s7jNHhQHRRelzb6JgkXlpCC0ovTbI8Sii1CUqG/LAQzoY8qofiSkLqoyqn93hSB4VP97y1Dzzq7XhkMUO/LmPnChAzK3swIToGizA0Sr9FQ5N7yYjXm2ptv8aJNy05QQoJaaXcmUIdrgHhsK4bAZ6leBUh6IX7bPgfMz9GsXY/i2gsbVBtzk2O1ZvbGvct9v1cb7TJdFtk4n64QylnoJnvzVrMC1WfR7iGt1rKfiwN6xO3goeis5z6DH5xgOcEsBlTGPMgsVJz3UHbv2WXnBd0dNVObHUysnZIOZBDIqGA0Z5FTQyKwVCYOb6h+XMp3Z18LuB67CTeLzImoR/0jSbvAV55jc/W03JCzJ7HOlEob47zVy0Xd1sXj5DKhlYQGR5YrMF4mIwkP7xoFZkXbNVag2p3eNnT7WoQVzptvCgUnkDLYEIlh7C8YCX8MvtnfoJPMmaRJUohc7mKz4l2vVx7cpck0DRcu9UQ7NPe6pGwLSqwUdOvWX82rFzU=', 'rPKGR/Pk0v34iOtuba4jVAhs6crwp/6wbLU49IS66y/IrzIFWD+98JypPwKVjIVdRENpzBPZhABm4RIgLrqAsEk7c4eo/kYpYjzd7nQlwCLvjRxqwHe6pfGbI8odhHQPtO1xB6Po+N/rIT+GlTrTDkN3I/vlbDPkPC5NjqCzl2ZPs3aGoma41/f4gJGPS/cICc40o0BTCtFVNb0c29mGSVqzW4lZUkmCU1i/Otv+4OL8d5pIjPWP/sobbbHtK1IcuAnm12/+95t7ZE0NGT1/rY9eYRj3en3ZhnNseeQ/EmaeIgMT2M4YeKzVJzapxviczHioUsT3m6N

Source: classification engine

Classification label: mal100.troj.evad.winMSI@12/13@8/2

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7188:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7240:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Mutant created: \Sessions\1\BaseNamedObjects\mafiaEXE

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DFEEBD6A38A1E19B64.TMP

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

File read: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\msiwrapper.ini

Jump to behavior

Source: C:\Windows\SysWOW64\icacls.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Iu4csQ2rwX.msi	ReversingLabs: Detection: 50%
Source: Iu4csQ2rwX.msi	Virustotal: Detection: 44%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Iu4csQ2rwX.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 49FA398F3E264BE26A418C8408A7EA4A
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\expand.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe "C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 49FA398F3E264BE26A418C8408A7EA4A	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\." /SETINTEGRITYLEVEL (CI)(OI)HIGH	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe "C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe"	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: dpx.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

File written: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\msiwrapper.ini

Jump to behavior

Source: Iu4csQ2rwX.msi

Static file information: File size 1552384 > 1048576

Source:

Binary string: C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb source: Iu4csQ2rwX.msi, 6c70ae.msi.1.dr, MSI7206.tmp.1.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: d6568875baf18047a674d73da59f1fb3.tmp.5.dr, ujxpsfygzVqvr.cs

.Net Code: UZwAtRevkNJm System.AppDomain.Load(byte[])

Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Code function: 7_2_029FA89E push 00000005h; ret	7_2_029FA8A6
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Code function: 7_2_029FA8BE push 00000005h; ret	7_2_029FA8C6
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Code function: 7_2_029FA85E push 00000005h; ret	7_2_029FA866
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Code function: 7_2_029FA87E push 00000005h; ret	7_2_029FA886

Source: d6568875baf18047a674d73da59f1fb3.tmp.5.dr, YWmRkWYrYGPet.cs	High entropy of concatenated method names: 'dOLkdHCjzPHOK', 'PcHoejmereKNz', 'OZtFFradpqx', 'ZMDVdpULrjF', 'UkBtrgkGaOCpi', 'iwFRajAjpAmh', 'raJGsWKBGiWiLlJ', 'qSvPuuyFOZo', 'ZVtGUpLMMg', 'DSFRqIgqmPZ'
Source: d6568875baf18047a674d73da59f1fb3.tmp.5.dr, SSBptkGuhwd.cs	High entropy of concatenated method names: 'AlvQbzcpWiYHWNLc', 'qRmxoPOEWB', 'LvkblCiiBspjmvk', 'OQrExEtkalkUsP', 'xVIPiVkQkrYm', 'qiVWUUwAcvhIe', 'tipFhEQwhk', 'JoFwsKIJcYc', 'yppPjeoCEiujCA', 'nQNUgHpaPJrGgHr'

Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7206.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\19846695766e49c9ae2db4b896af4d3a$dpx$.tmp\d6568875baf18047a674d73da59f1fb3.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\MSI7206.tmp

Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: Iu4csQ2rwX.msi, type: SAMPLE
Source: Yara match	File source: 7.0.mafiachroom.exe.7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.1669483984.00000000007C2000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: C:\Windows\Installer\6c70ae.msi, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files.cab, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\19846695766e49c9ae2db4b896af4d3a$dpx$.tmp\d6568875baf18047a674d73da59f1fb3.tmp, type: DROPPED

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\." /SETINTEGRITYLEVEL (CI)(OI)HIGH

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: Iu4csQ2rwX.msi, type: SAMPLE
Source: Yara match	File source: 7.0.mafiachroom.exe.7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.1669483984.00000000007C2000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: C:\Windows\Installer\6c70ae.msi, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files.cab, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\19846695766e49c9ae2db4b896af4d3a$dpx$.tmp\d6568875baf18047a674d73da59f1fb3.tmp, type: DROPPED

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Iu4csQ2rwX.msi, 6c70ae.msi.1.dr, files.cab.2.dr, d6568875baf18047a674d73da59f1fb3.tmp.5.dr

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Memory allocated: 29F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Memory allocated: 2C60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Memory allocated: 2A60000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe

Window / User API: threadDelayed 9715

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Dropped PE file which has not been started: C:\Windows\Installer\MSI7206.tmp

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe TID: 7344	Thread sleep count: 250 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe TID: 7344	Thread sleep time: -250000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe TID: 7344	Thread sleep count: 9715 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe TID: 7344	Thread sleep time: -9715000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: d6568875baf18047a674d73da59f1fb3.tmp.5.dr	Binary or memory string: vmware
Source: mafiachroom.exe, 00000007.00000002.4721202096.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllnn

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\." /SETINTEGRITYLEVEL (CI)(OI)HIGH	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe "C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe"	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\expand.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: Iu4csQ2rwX.msi, type: SAMPLE
Source: Yara match	File source: 7.0.mafiachroom.exe.7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.1669483984.00000000007C2000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: C:\Windows\Installer\6c70ae.msi, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files.cab, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\19846695766e49c9ae2db4b896af4d3a$dpx$.tmp\d6568875baf18047a674d73da59f1fb3.tmp, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	2 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Services File Permissions Weakness	1 Scheduled Task/Job	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Services File Permissions Weakness	1 Disable or Modify Tools	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	24 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	111 Obfuscated Files or Information	LSA Secrets	11 Peripheral Device Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Services File Permissions Weakness	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Iu4csQ2rwX.msi	50%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRAT
Iu4csQ2rwX.msi	44%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\19846695766e49c9ae2db4b896af4d3a$dpx$.tmp\d6568875baf18047a674d73da59f1fb3.tmp	100%	Avira	TR/Spy.Gen
C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\19846695766e49c9ae2db4b896af4d3a$dpx$.tmp\d6568875baf18047a674d73da59f1fb3.tmp	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\19846695766e49c9ae2db4b896af4d3a$dpx$.tmp\d6568875baf18047a674d73da59f1fb3.tmp	61%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe (copy)	61%	Virustotal		Browse
C:\Windows\Installer\MSI7206.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI7206.tmp	1%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
twinks234.duckdns.org	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
	0%	Avira URL Cloud	safe
twinks234.duckdns.org	0%	Avira URL Cloud	safe
twinks234.duckdns.org	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
twinks234.duckdns.org	unknown	unknown	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
	true	Avira URL Cloud: safe	low
twinks234.duckdns.org	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.4
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431500
Start date and time:	2024-04-25 10:46:41 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Iu4csQ2rwX.msi renamed because original name is a hash value
Original Sample Name:	6d3f68d31efc5fc456850af228427c25.msi
Detection:	MAL
Classification:	mal100.troj.evad.winMSI@12/13@8/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 11 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .msi Close Viewer Override analysis time to 119996.9943 for current running targets taking high CPU consumption Override analysis time to 239993.9886 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 199.232.210.172, 192.229.211.108
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, self.events.data.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
10:48:09	API Interceptor	12316733x Sleep call for process: mafiachroom.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://docs.google.com/presentation/d/e/2PACX-1vRA7cYu2pjKyfaCRROgTu4J2OpPGWE_raEqtGhCVl21QDvJzZsVPQtIU_FG6khcCjqxbwzOTOoBBBx6/pub?start=false&loop=false&delayms=3000&slide=id.p	Get hash	malicious	Unknown	Browse	52.165.165.26
	http://survey-smiles.com	Get hash	malicious	Unknown	Browse	52.165.165.26
	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	52.165.165.26
	http://rapnews.pl	Get hash	malicious	Unknown	Browse	52.165.165.26
	http://rfpteams.ksplastlc.net	Get hash	malicious	Unknown	Browse	52.165.165.26
	https://app.milanote.com/1RZbnl1zfBXuaf?p=r2B66sphbV4	Get hash	malicious	Unknown	Browse	52.165.165.26
	http://decktop.us/gORiyf	Get hash	malicious	HTMLPhisher	Browse	52.165.165.26
	https://cos-aliyun8789.towqzg.cn/	Get hash	malicious	Unknown	Browse	52.165.165.26
	https://shining-melodic-magnesium.glitch.me/rvicendDev.html	Get hash	malicious	Unknown	Browse	52.165.165.26
	http://confirmartucuentamsnaquimx.hstn.me/login.live.com_login_verify_credentials_outlook.html	Get hash	malicious	HTMLPhisher	Browse	52.165.165.26
a0e9f5d64349fb13191bc781f81f42e1	o7b91j8vnJ.exe	Get hash	malicious	LummaC	Browse	20.42.65.94
	SHEOrder-10524.exe	Get hash	malicious	Remcos, DBatLoader	Browse	20.42.65.94
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	20.42.65.94
	https://56hytuti5.weebly.com/	Get hash	malicious	Unknown	Browse	20.42.65.94
	udVh4Ist4Z.exe	Get hash	malicious	Remcos, DBatLoader	Browse	20.42.65.94
	samradapps_datepicker_221114.xlam	Get hash	malicious	Unknown	Browse	20.42.65.94
	Enquiry 230424.bat	Get hash	malicious	Remcos, DBatLoader	Browse	20.42.65.94
	URGENTE_NOTIFICATION.cmd	Get hash	malicious	Remcos, DBatLoader	Browse	20.42.65.94
	fu56fbrtn8.exe	Get hash	malicious	Remcos, DBatLoader	Browse	20.42.65.94
	Payment MT103.xls	Get hash	malicious	Unknown	Browse	20.42.65.94

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\Installer\MSI7206.tmp	SecuriteInfo.com.Trojan.Generic.35702255.16709.9631.msi	Get hash	malicious	Hidden Macro 4.0	Browse
	SecuriteInfo.com.Trojan.Generic.35702255.16709.9631.msi	Get hash	malicious	Hidden Macro 4.0	Browse
	psmb.msi	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files.cab

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 1289612 bytes, 1 file, at 0x2c +A "mafiachroom.exe", ID 3549, number 1, 40 datablocks, 0 compression
Category:	dropped
Size (bytes):	1289612
Entropy (8bit):	7.943191122442787
Encrypted:	false
SSDEEP:	24576:TLcVXyEq9GRhv9cWP8rtPN01Mq7+xtA+w9TxDfoUBoiGt+eWilfdqFWVgK:TLcJyEq9GRhvVqtV01Mq7kctDAUdGHWZ
MD5:	D4E7F05D7F6A7DC75F468DBCAA9F437F
SHA1:	F377284434B0200C6EBEBA730DFCDDAFF7F2DE13
SHA-256:	943EF4C71D53EF383EE9591D460799C7E503E493C26ABDD6DED50EB82F2DD47F
SHA-512:	9F8D960EE4367F388A0717B9A3991682A900F13DB547DD51242A6C1686A2D9BADBB94446DB36700116C0C7753DAACC7FB43EC35C09E94BC462E74C36E2B86BF5
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files.cab, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files.cab, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files.cab, Author: ditekSHen
Reputation:	low
Preview:	MSCF............,...................L...(..............X.. .mafiachroom.exe.."x.....MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...]x^e................................. ... ....@.. ..............................N4....`.................................<...O.... ..s............................................................................ ............... ..H............text........ ...................... ..`.rsrc...s.... ......................@..@.reloc..............................@..B................p.......H.......X}................................................................V..;...$0.xC.=VD..b......9A../.\.....(.....~............~............~............~............~............~............~............~.....~............~............~............(A......2~.....oB....s..........()...:(...(...:....(+...:....('...:....((...9.....(y...V~'...(3....(...(....*.r!

C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\19846695766e49c9ae2db4b896af4d3a$dpx$.tmp\d6568875baf18047a674d73da59f1fb3.tmp

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1289216
Entropy (8bit):	7.943449212177756
Encrypted:	false
SSDEEP:	24576:1lcVkyEq9DRho1jFP8ltPP01Ws7+wFPEl9ix4fpUzoQDt+egElxdqFWVvQ:1lcCyEq9DRho/ctH01Ws74rA4RUBDHgq
MD5:	6E7EBD37B6095CB1A2F3FFA9D5598C81
SHA1:	D4D0CFA65F6DD224AF16FF81A29ABDF6AB0EAB69
SHA-256:	1CF774A50175EB7321B1366C585CCFC68BDF0916D8E78EDF1FE24E079209EB9E
SHA-512:	F23D689393DB2F8292018D8B303992B19DD8B9CFD4F226A84DDD70D30EC2D89083E9B1418D5F82E04A1A81D9014387E0450747B99A02FC32E094C987CC2C782B
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\19846695766e49c9ae2db4b896af4d3a$dpx$.tmp\d6568875baf18047a674d73da59f1fb3.tmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\19846695766e49c9ae2db4b896af4d3a$dpx$.tmp\d6568875baf18047a674d73da59f1fb3.tmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\19846695766e49c9ae2db4b896af4d3a$dpx$.tmp\d6568875baf18047a674d73da59f1fb3.tmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\19846695766e49c9ae2db4b896af4d3a$dpx$.tmp\d6568875baf18047a674d73da59f1fb3.tmp, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 61%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...]x^e................................. ... ....@.. ..............................N4....`.................................<...O.... ..s............................................................................ ............... ..H............text........ ...................... ..`.rsrc...s.... ......................@..@.reloc..............................@..B................p.......H.......X}................................................................V..;...$0.xC.=VD..b......9A../.\.....(.....~............~............~............~............~............~............~............~.....~............~............~............(A......2~.....oB....s..........()...:(...(...:....(+...:....('...:....((...9.....(y...V~'...(3....(...(.....r!4.p(....r+4.p(r....$......4...sC....'...~.....(......)...V(....s.... ...o....*b.+.

C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe (copy)

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1289216
Entropy (8bit):	7.943449212177756
Encrypted:	false
SSDEEP:	24576:1lcVkyEq9DRho1jFP8ltPP01Ws7+wFPEl9ix4fpUzoQDt+egElxdqFWVvQ:1lcCyEq9DRho/ctH01Ws74rA4RUBDHgq
MD5:	6E7EBD37B6095CB1A2F3FFA9D5598C81
SHA1:	D4D0CFA65F6DD224AF16FF81A29ABDF6AB0EAB69
SHA-256:	1CF774A50175EB7321B1366C585CCFC68BDF0916D8E78EDF1FE24E079209EB9E
SHA-512:	F23D689393DB2F8292018D8B303992B19DD8B9CFD4F226A84DDD70D30EC2D89083E9B1418D5F82E04A1A81D9014387E0450747B99A02FC32E094C987CC2C782B
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 61%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...]x^e................................. ... ....@.. ..............................N4....`.................................<...O.... ..s............................................................................ ............... ..H............text........ ...................... ..`.rsrc...s.... ......................@..@.reloc..............................@..B................p.......H.......X}................................................................V..;...$0.xC.=VD..b......9A../.\.....(.....~............~............~............~............~............~............~............~.....~............~............~............(A......2~.....oB....s..........()...:(...(...:....(+...:....('...:....((...9.....(y...V~'...(3....(...(.....r!4.p(....r+4.p(r....$......4...sC....'...~.....(......)...V(....s.... ...o....*b.+.

C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\msiwrapper.ini

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	1472
Entropy (8bit):	3.6623629971399727
Encrypted:	false
SSDEEP:	24:L0VdX8DW8dfjKQZPyag7ESrF39KYixC9KYixLy29KYix1QZNlRu7b:LKeeQkz7JF39Ko9KFl9KrQZRuH
MD5:	281ABB073F619A12C17B92204964376F
SHA1:	693D424F526727D92E4F873DDF8079DB5D384547
SHA-256:	7CB20C8D8CC154F87378592E337D5582EE32BC1B6647B79F4A0459A05DD207AC
SHA-512:	5B644DE545680AA09350619C615876310CED2A8E7029362B3BFE9D6292C60DF9892C8A898A69DED304699D22278669027CA4801740085BB3CFB8A6BA66E8EBA8
Malicious:	false
Reputation:	low
Preview:	W.r.a.p.p.e.d.A.p.p.l.i.c.a.t.i.o.n.I.d.=.G.o.o.g.l.e. .C.h.r.o.m.e...W.r.a.p.p.e.d.R.e.g.i.s.t.r.a.t.i.o.n.=.H.i.d.d.e.n...I.n.s.t.a.l.l.S.u.c.c.e.s.s.C.o.d.e.s.=.0...E.l.e.v.a.t.i.o.n.M.o.d.e.=.a.d.m.i.n.i.s.t.r.a.t.o.r.s...B.a.s.e.N.a.m.e.=.m.a.f.i.a.c.h.r.o.o.m...e.x.e...C.a.b.H.a.s.h.=.9.4.3.e.f.4.c.7.1.d.5.3.e.f.3.8.3.e.e.9.5.9.1.d.4.6.0.7.9.9.c.7.e.5.0.3.e.4.9.3.c.2.6.a.b.d.d.6.d.e.d.5.0.e.b.8.2.f.2.d.d.4.7.f...S.e.t.u.p.P.a.r.a.m.e.t.e.r.s.=...W.o.r.k.i.n.g.D.i.r.=...C.u.r.r.e.n.t.D.i.r.=..S.O.U.R.C.E.D.I.R....U.I.L.e.v.e.l.=.5...F.o.c.u.s.=.y.e.s...S.e.s.s.i.o.n.D.i.r.=.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.M.W.-.b.f.5.b.0.9.8.d.-.e.7.2.2.-.4.c.b.5.-.9.f.f.e.-.2.c.0.7.6.0.c.3.2.7.a.0.\...F.i.l.e.s.D.i.r.=.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.M.W.-.b.f.5.b.0.9.8.d.-.e.7.2.2.-.4.c.b.5.-.9.f.f.e.-.2.c.0.7.6.0.c.3.2.7.a.0.\.f.i.l.e.s.\...R.u.n.B.e.f.o.r.e.I.n.s.t.a.l.l.F.i.l.e.=...R.u.n.B.e.f.o.r.e.I.n.s.t.a.l.l.P.a.r.

C:\Windows\Installer\6c70ae.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Google Chrome - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com 123.0.6312.122, Subject: Google Chrome - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com, Author: Google LLC, Keywords: Installer, Template: x64;1033, Revision Number: {13CFB811-92D4-4E78-880A-3A795941D09C}, Create Time/Date: Thu Jan 11 14:59:38 2024, Last Saved Time/Date: Thu Jan 11 14:59:38 2024, Number of Pages: 200, Number of Words: 12, Name of Creating Application: MSI Wrapper (11.0.53.0), Security: 2
Category:	dropped
Size (bytes):	1552384
Entropy (8bit):	7.805123646694037
Encrypted:	false
SSDEEP:	24576:kt9cpVDhOXLcVXyEq9GRhv9cWP8rtPN01Mq7+xtA+w9TxDfoUBoiGt+eWilfdqF6:jpRhOXLcJyEq9GRhvVqtV01Mq7kctDAo
MD5:	6D3F68D31EFC5FC456850AF228427C25
SHA1:	487FCAAAB61CE4E76D6A1E2568CF3602A5F6632B
SHA-256:	147F810AFFA8A7F95CC8A15CC5918933D3CF430232E132B340180D3878951974
SHA-512:	E1C26181065AD69078E281154F741D318CEEC9D412C030A89397E6D27FF89C224ED7F106B68892F41309264830E48255FF114369985206EFE9C5311F8725DF3D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Windows\Installer\6c70ae.msi, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: C:\Windows\Installer\6c70ae.msi, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Windows\Installer\6c70ae.msi, Author: ditekSHen
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI7206.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	212992
Entropy (8bit):	6.513409725320959
Encrypted:	false
SSDEEP:	3072:xspAtOdmXwCGjtYNKbYO2gjpcm8rRuqpjCL42loHUvU0yGxr5GqM2a8:jtOdiRQYpgjpjew5DHyGxcqo8
MD5:	0C8921BBCC37C6EFD34FAF44CF3B0CB5
SHA1:	DCFA71246157EDCD09EECAF9D4C5E360B24B3E49
SHA-256:	FD622CF73EA951A6DE631063ABA856487D77745DD1500ADCA61902B8DDE56FE1
SHA-512:	ED55443E20D40CCA90596F0A0542FA5AB83FE0270399ADFAAFD172987FB813DFD44EC0DA0A58C096AF3641003F830341FE259AD5BCE9823F238AE63B7E11E108
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Joe Sandbox View:	Filename: SecuriteInfo.com.Trojan.Generic.35702255.16709.9631.msi, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Generic.35702255.16709.9631.msi, Detection: malicious, Browse Filename: psmb.msi, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............p...p...p.......p.....p..../.p.......p...q.%.p.......p.....p.....p.Rich..p.........................PE..L...Y..e...........!.....h..........K................................................]....@.........................P...]............P.......................`.....................................p...@...............t............................text....f.......h.................. ..`.rdata...............l..............@..@.data....5..........................@....rsrc........P......................@..@.reloc...)...`...*..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{BE13E8ED-EE1E-41EA-93EE-21B2B781511E}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.7692339800996187
Encrypted:	false
SSDEEP:	12:JSbX72Fj7f/iAGiLIlHVRpZh/7777777777777777777777777vDHFfmtRk1it/z:JtyQI5tEP5iF
MD5:	892B7CD83624EF32E2706DBD14F68D24
SHA1:	5B86AC3E986110187680CBF2F7AD6AB910AE5563
SHA-256:	9108392014A3C81667125872FE32A81B91EDAEB851F937D31562F3BC2DB6AE86
SHA-512:	3E6047385CB776953BC0D82EBEB9B89B9187CD29667A28E464FD222A9206B06D120E14B571A2433D18F353BF5DF9B5D509D9889EF223FD00F202B3E66FAA4DA9
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2264399780340365
Encrypted:	false
SSDEEP:	48:dLQuyPveFXJpT5g9pNhdASPo/rXvdASB21rBJq:dQCRTUpNkoq
MD5:	AC2974284B998CE815AEBAA18C792EF9
SHA1:	353878AF3BE88908B8DAE50A603165706901848B
SHA-256:	2DAB60657892B5931633B3434B080FCCDD93459C5EC51D8FC97F8A92F7A52617
SHA-512:	15BE58EC8703E2386670D0C009208E39F3390FC408985B0B1E59DD85E193E93A0EAE3BDE3F0EFF6999EDB46B3E0236028B7D253958CAED8B662EFF78ABD21E4E
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Logs\DPX\setupact.log

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	345054
Entropy (8bit):	4.386377718866352
Encrypted:	false
SSDEEP:	192:0K9KmK9KIK7KIK7KYK7KIK7KYK7KIK7KYK7KIK7KYK7KIK7KYK7KIK7KYK7KIK7R:W
MD5:	8B72457D1938B5D9E2315E6E78160917
SHA1:	8FA88A04D0F6CF01742FB85337251FDCE7998012
SHA-256:	FC51DB92DB8DD84C4E80C4EE04A47FA600214F2CF0B42415E3D5F83FCA840D63
SHA-512:	1D6D640BB448A13FB87024E6EDC8B2C0D8145F72EAEFE6D38F9F8CB5CB59A4E2BEDBC3285BF0EA90F64F0A363BBE43F71288C65EBD9BC1C53657E5755C3578E5
Malicious:	false
Preview:	.2023-10-03 11:48:47, Info DPX Started DPX phase: Resume and Download Job..2023-10-03 11:48:47, Info DPX Started DPX phase: Apply Deltas Provided In File..2023-10-03 11:48:47, Info DPX Ended DPX phase: Apply Deltas Provided In File..2023-10-03 11:48:47, Info DPX Started DPX phase: Apply Deltas Provided In File..2023-10-03 11:48:47, Info DPX Ended DPX phase: Apply Deltas Provided In File..2023-10-03 11:48:47, Info DPX CJob::Resume completed with status: 0x0..2023-10-03 11:48:47, Info DPX Ended DPX phase: Resume and Download Job..2023-10-03 11:48:49, Info DPX Started DPX phase: Resume and Download Job..2023-10-03 11:48:49, Info DPX Started DPX phase: Apply Deltas Provided In File..2023-10-03 11:48:49, Info DPX Ended DPX phase: Apply Deltas Provided In File..2023-10-03 11:48:49, Info

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	432221
Entropy (8bit):	5.3751734831354545
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauN:zTtbmkExhMJCIpErI
MD5:	53A788998286B1FEC1368D97FADBD5F2
SHA1:	695F6C740AC128536A73AD2EA559F5BB040C1265
SHA-256:	886EE555A5F5C7AF778ECDD0B16D0CF84AB07529BB8F5A8C1E1B49AD532B579B
SHA-512:	AD8F93A201C2DAFC404B82E58394A23D565471FE54F2A94929CDD08FF589AA7F6A084A81348A65EF7A82CB97D967579A6AFD080129980C0FCB93B96B7E7DCD1D
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\Temp\~DF5089C8F6485DBCAD.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	81920
Entropy (8bit):	0.1112771354957745
Encrypted:	false
SSDEEP:	24:zFIqPAE0kwY+wJfAebfdAipV72XdAipVdV2BwGNplrkg9Sk0wu+CJ9b:mqBPrfdASB2XdASPo/rXYNJ9
MD5:	AB5A0A12EEADBE80694DF46E0AB79F62
SHA1:	8E5980EDE5CF477AD00E0BE562D3D094737588B9
SHA-256:	A4224F9F5709902B258BF38490A4FF74BFE3A4E1232A577FCA39D6B4680B1BDD
SHA-512:	B0EB3435D4FB96FCF592B645130603643DC8CFB42E774105D8B1E8540796732A7C1CF04AD9B13E34FD3CF0EA50CE79C000F85F5DA49C926FAA41C5CAD0B26143
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFEEBD6A38A1E19B64.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.07150915138307373
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOL7BDsc+B7R7kIgVky6lit/:2F0i8n0itFzDHFfmtRkCit/
MD5:	7FFC53FE45A6E495C9024D66AE1712A1
SHA1:	E8FD316F9FFF4731283C63302E064448F7AE0C5B
SHA-256:	B4BC0B01676BAC54694FA20D972BBF1AD63A57F9ADEAFB349118D8F21ED20C1D
SHA-512:	674B314E388751BDF91DE86DBF70841E2B18C2AE2E462EF72918FABD532247B8BB8090396297C46CDD5BFCF2FE68E6F731DA7A6CE9ADF9A68BF657BA78492F9C
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	ASCII text, with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	205
Entropy (8bit):	4.707542624470352
Encrypted:	false
SSDEEP:	3:RGXKRjN3MZ9aSLKLbzXDD9jmKXVM8/FAJoDYRJ50ACFkYLIZILDlzsLDIZJ0gEn:zx3MmSLQHtBXVNsRj0kHwD0DIZJQn
MD5:	7FAEE4F4623A57B77908F193F47336F4
SHA1:	443782BFA3F9EA0AAC6E256BB7BDDD5552A762F3
SHA-256:	F97EA661036D2A9CB59B10B2C0D81FE1C3D20A40BF527DDEEC97DBFF8309BCC0
SHA-512:	60A0073B34F8890068B244009E234F430D849234221938BD9CA7331385787B0330E082FB09C69E662E3BA02C2C0E9957696FFD6F9455ED7BEBCEBB8F64153095
Malicious:	false
Preview:	Microsoft (R) File Expansion Utility..Copyright (c) Microsoft Corporation. All rights reserved.....Adding files\mafiachroom.exe to Extraction Queue....Expanding Files ........Expanding Files Complete .....

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Google Chrome - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com 123.0.6312.122, Subject: Google Chrome - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com, Author: Google LLC, Keywords: Installer, Template: x64;1033, Revision Number: {13CFB811-92D4-4E78-880A-3A795941D09C}, Create Time/Date: Thu Jan 11 14:59:38 2024, Last Saved Time/Date: Thu Jan 11 14:59:38 2024, Number of Pages: 200, Number of Words: 12, Name of Creating Application: MSI Wrapper (11.0.53.0), Security: 2
Entropy (8bit):	7.805123646694037
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	Iu4csQ2rwX.msi
File size:	1'552'384 bytes
MD5:	6d3f68d31efc5fc456850af228427c25
SHA1:	487fcaaab61ce4e76d6a1e2568cf3602a5f6632b
SHA256:	147f810affa8a7f95cc8a15cc5918933d3cf430232e132b340180d3878951974
SHA512:	e1c26181065ad69078e281154f741d318ceec9d412c030a89397e6d27ff89c224ed7f106b68892f41309264830e48255ff114369985206efe9c5311f8725df3d
SSDEEP:	24576:kt9cpVDhOXLcVXyEq9GRhv9cWP8rtPN01Mq7+xtA+w9TxDfoUBoiGt+eWilfdqF6:jpRhOXLcJyEq9GRhvVqtV01Mq7kctDAo
TLSH:	057501113BD8C03AE2FA0A3199FA976529B5BD364B30D0CF27D0799D0A30AD2E935757
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2024 10:47:26.357072115 CEST	49675	443	192.168.2.4	173.222.162.32
Apr 25, 2024 10:47:35.966362000 CEST	49675	443	192.168.2.4	173.222.162.32
Apr 25, 2024 10:47:48.810199976 CEST	49732	443	192.168.2.4	52.165.165.26
Apr 25, 2024 10:47:48.810280085 CEST	443	49732	52.165.165.26	192.168.2.4
Apr 25, 2024 10:47:48.810368061 CEST	49732	443	192.168.2.4	52.165.165.26
Apr 25, 2024 10:47:48.812083006 CEST	49732	443	192.168.2.4	52.165.165.26
Apr 25, 2024 10:47:48.812129021 CEST	443	49732	52.165.165.26	192.168.2.4
Apr 25, 2024 10:47:49.269664049 CEST	443	49732	52.165.165.26	192.168.2.4
Apr 25, 2024 10:47:49.269767046 CEST	49732	443	192.168.2.4	52.165.165.26
Apr 25, 2024 10:47:49.273318052 CEST	49732	443	192.168.2.4	52.165.165.26
Apr 25, 2024 10:47:49.273344994 CEST	443	49732	52.165.165.26	192.168.2.4
Apr 25, 2024 10:47:49.273765087 CEST	443	49732	52.165.165.26	192.168.2.4
Apr 25, 2024 10:47:49.325696945 CEST	49732	443	192.168.2.4	52.165.165.26
Apr 25, 2024 10:47:49.683531046 CEST	49732	443	192.168.2.4	52.165.165.26
Apr 25, 2024 10:47:49.724158049 CEST	443	49732	52.165.165.26	192.168.2.4
Apr 25, 2024 10:47:49.965398073 CEST	443	49732	52.165.165.26	192.168.2.4
Apr 25, 2024 10:47:49.965450048 CEST	443	49732	52.165.165.26	192.168.2.4
Apr 25, 2024 10:47:49.965468884 CEST	443	49732	52.165.165.26	192.168.2.4
Apr 25, 2024 10:47:49.965486050 CEST	443	49732	52.165.165.26	192.168.2.4
Apr 25, 2024 10:47:49.965517044 CEST	49732	443	192.168.2.4	52.165.165.26
Apr 25, 2024 10:47:49.965527058 CEST	443	49732	52.165.165.26	192.168.2.4
Apr 25, 2024 10:47:49.965547085 CEST	443	49732	52.165.165.26	192.168.2.4
Apr 25, 2024 10:47:49.965549946 CEST	49732	443	192.168.2.4	52.165.165.26
Apr 25, 2024 10:47:49.965575933 CEST	443	49732	52.165.165.26	192.168.2.4
Apr 25, 2024 10:47:49.965603113 CEST	49732	443	192.168.2.4	52.165.165.26
Apr 25, 2024 10:47:49.965632915 CEST	49732	443	192.168.2.4	52.165.165.26
Apr 25, 2024 10:47:49.965748072 CEST	443	49732	52.165.165.26	192.168.2.4
Apr 25, 2024 10:47:49.965817928 CEST	49732	443	192.168.2.4	52.165.165.26
Apr 25, 2024 10:47:49.965842962 CEST	443	49732	52.165.165.26	192.168.2.4
Apr 25, 2024 10:47:49.965962887 CEST	443	49732	52.165.165.26	192.168.2.4
Apr 25, 2024 10:47:49.966065884 CEST	49732	443	192.168.2.4	52.165.165.26
Apr 25, 2024 10:47:49.979201078 CEST	49732	443	192.168.2.4	52.165.165.26
Apr 25, 2024 10:47:49.979237080 CEST	443	49732	52.165.165.26	192.168.2.4
Apr 25, 2024 10:47:49.979264975 CEST	49732	443	192.168.2.4	52.165.165.26
Apr 25, 2024 10:47:49.979280949 CEST	443	49732	52.165.165.26	192.168.2.4
Apr 25, 2024 10:48:28.910095930 CEST	49743	443	192.168.2.4	52.165.165.26
Apr 25, 2024 10:48:28.910185099 CEST	443	49743	52.165.165.26	192.168.2.4
Apr 25, 2024 10:48:28.910285950 CEST	49743	443	192.168.2.4	52.165.165.26
Apr 25, 2024 10:48:28.910759926 CEST	49743	443	192.168.2.4	52.165.165.26
Apr 25, 2024 10:48:28.910794973 CEST	443	49743	52.165.165.26	192.168.2.4
Apr 25, 2024 10:48:29.343679905 CEST	443	49743	52.165.165.26	192.168.2.4
Apr 25, 2024 10:48:29.343822956 CEST	49743	443	192.168.2.4	52.165.165.26
Apr 25, 2024 10:48:29.352567911 CEST	49743	443	192.168.2.4	52.165.165.26
Apr 25, 2024 10:48:29.352602959 CEST	443	49743	52.165.165.26	192.168.2.4
Apr 25, 2024 10:48:29.352817059 CEST	443	49743	52.165.165.26	192.168.2.4
Apr 25, 2024 10:48:29.369484901 CEST	49743	443	192.168.2.4	52.165.165.26
Apr 25, 2024 10:48:29.412143946 CEST	443	49743	52.165.165.26	192.168.2.4
Apr 25, 2024 10:48:29.767426014 CEST	443	49743	52.165.165.26	192.168.2.4
Apr 25, 2024 10:48:29.767457008 CEST	443	49743	52.165.165.26	192.168.2.4
Apr 25, 2024 10:48:29.767471075 CEST	443	49743	52.165.165.26	192.168.2.4
Apr 25, 2024 10:48:29.767612934 CEST	49743	443	192.168.2.4	52.165.165.26
Apr 25, 2024 10:48:29.767653942 CEST	443	49743	52.165.165.26	192.168.2.4
Apr 25, 2024 10:48:29.767688036 CEST	443	49743	52.165.165.26	192.168.2.4
Apr 25, 2024 10:48:29.767714977 CEST	443	49743	52.165.165.26	192.168.2.4
Apr 25, 2024 10:48:29.767759085 CEST	443	49743	52.165.165.26	192.168.2.4
Apr 25, 2024 10:48:29.767765045 CEST	49743	443	192.168.2.4	52.165.165.26
Apr 25, 2024 10:48:29.767865896 CEST	49743	443	192.168.2.4	52.165.165.26
Apr 25, 2024 10:48:29.779992104 CEST	49743	443	192.168.2.4	52.165.165.26
Apr 25, 2024 10:48:29.780030012 CEST	443	49743	52.165.165.26	192.168.2.4
Apr 25, 2024 10:48:29.780060053 CEST	49743	443	192.168.2.4	52.165.165.26
Apr 25, 2024 10:48:29.780075073 CEST	443	49743	52.165.165.26	192.168.2.4
Apr 25, 2024 10:48:43.826752901 CEST	49723	80	192.168.2.4	199.232.214.172
Apr 25, 2024 10:48:43.826853991 CEST	49724	80	192.168.2.4	23.47.204.65
Apr 25, 2024 10:48:43.936372995 CEST	80	49723	199.232.214.172	192.168.2.4
Apr 25, 2024 10:48:43.936436892 CEST	80	49723	199.232.214.172	192.168.2.4
Apr 25, 2024 10:48:43.936474085 CEST	80	49724	23.47.204.65	192.168.2.4
Apr 25, 2024 10:48:43.936496973 CEST	49723	80	192.168.2.4	199.232.214.172
Apr 25, 2024 10:48:43.936696053 CEST	49724	80	192.168.2.4	23.47.204.65
Apr 25, 2024 10:52:24.594404936 CEST	49772	443	192.168.2.4	20.42.65.94
Apr 25, 2024 10:52:24.594500065 CEST	443	49772	20.42.65.94	192.168.2.4
Apr 25, 2024 10:52:24.594568014 CEST	49772	443	192.168.2.4	20.42.65.94
Apr 25, 2024 10:52:24.594871044 CEST	49772	443	192.168.2.4	20.42.65.94
Apr 25, 2024 10:52:24.594907045 CEST	443	49772	20.42.65.94	192.168.2.4
Apr 25, 2024 10:52:24.981863976 CEST	443	49772	20.42.65.94	192.168.2.4
Apr 25, 2024 10:52:24.981941938 CEST	49772	443	192.168.2.4	20.42.65.94
Apr 25, 2024 10:52:25.001264095 CEST	49772	443	192.168.2.4	20.42.65.94
Apr 25, 2024 10:52:25.001300097 CEST	443	49772	20.42.65.94	192.168.2.4
Apr 25, 2024 10:52:25.001537085 CEST	443	49772	20.42.65.94	192.168.2.4
Apr 25, 2024 10:52:25.001595974 CEST	49772	443	192.168.2.4	20.42.65.94
Apr 25, 2024 10:52:25.002048016 CEST	49772	443	192.168.2.4	20.42.65.94
Apr 25, 2024 10:52:25.002091885 CEST	49772	443	192.168.2.4	20.42.65.94
Apr 25, 2024 10:52:25.002130032 CEST	443	49772	20.42.65.94	192.168.2.4
Apr 25, 2024 10:52:25.126816988 CEST	443	49772	20.42.65.94	192.168.2.4
Apr 25, 2024 10:52:25.127074003 CEST	49772	443	192.168.2.4	20.42.65.94
Apr 25, 2024 10:52:25.224857092 CEST	443	49772	20.42.65.94	192.168.2.4
Apr 25, 2024 10:52:25.224936962 CEST	443	49772	20.42.65.94	192.168.2.4
Apr 25, 2024 10:52:25.224936008 CEST	49772	443	192.168.2.4	20.42.65.94
Apr 25, 2024 10:52:25.224987984 CEST	49772	443	192.168.2.4	20.42.65.94
Apr 25, 2024 10:52:25.225028992 CEST	49772	443	192.168.2.4	20.42.65.94
Apr 25, 2024 10:52:25.225059032 CEST	443	49772	20.42.65.94	192.168.2.4
Apr 25, 2024 10:52:25.225081921 CEST	49772	443	192.168.2.4	20.42.65.94
Apr 25, 2024 10:52:25.225107908 CEST	49772	443	192.168.2.4	20.42.65.94

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2024 10:47:54.395257950 CEST	138	138	192.168.2.4	192.168.2.255
Apr 25, 2024 10:48:55.811685085 CEST	58940	53	192.168.2.4	1.1.1.1
Apr 25, 2024 10:48:55.953551054 CEST	53	58940	1.1.1.1	192.168.2.4
Apr 25, 2024 10:49:09.123240948 CEST	59209	53	192.168.2.4	1.1.1.1
Apr 25, 2024 10:49:09.271899939 CEST	53	59209	1.1.1.1	192.168.2.4
Apr 25, 2024 10:50:03.685446978 CEST	65226	53	192.168.2.4	1.1.1.1
Apr 25, 2024 10:50:04.330130100 CEST	53	65226	1.1.1.1	192.168.2.4
Apr 25, 2024 10:50:17.703218937 CEST	60738	53	192.168.2.4	1.1.1.1
Apr 25, 2024 10:50:17.847084045 CEST	53	60738	1.1.1.1	192.168.2.4
Apr 25, 2024 10:50:22.857733965 CEST	52423	53	192.168.2.4	1.1.1.1
Apr 25, 2024 10:50:23.002460957 CEST	53	52423	1.1.1.1	192.168.2.4
Apr 25, 2024 10:51:47.077300072 CEST	57445	53	192.168.2.4	1.1.1.1
Apr 25, 2024 10:51:47.233153105 CEST	53	57445	1.1.1.1	192.168.2.4
Apr 25, 2024 10:51:55.034885883 CEST	138	138	192.168.2.4	192.168.2.255
Apr 25, 2024 10:52:27.888819933 CEST	59559	53	192.168.2.4	1.1.1.1
Apr 25, 2024 10:52:28.031111956 CEST	53	59559	1.1.1.1	192.168.2.4
Apr 25, 2024 10:52:35.458952904 CEST	64403	53	192.168.2.4	1.1.1.1
Apr 25, 2024 10:52:35.599688053 CEST	53	64403	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 25, 2024 10:48:55.811685085 CEST	192.168.2.4	1.1.1.1	0xb509	Standard query (0)	twinks234.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 25, 2024 10:49:09.123240948 CEST	192.168.2.4	1.1.1.1	0x69b4	Standard query (0)	twinks234.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 25, 2024 10:50:03.685446978 CEST	192.168.2.4	1.1.1.1	0x3a78	Standard query (0)	twinks234.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 25, 2024 10:50:17.703218937 CEST	192.168.2.4	1.1.1.1	0xb636	Standard query (0)	twinks234.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 25, 2024 10:50:22.857733965 CEST	192.168.2.4	1.1.1.1	0x80dc	Standard query (0)	twinks234.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 25, 2024 10:51:47.077300072 CEST	192.168.2.4	1.1.1.1	0x9a25	Standard query (0)	twinks234.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 25, 2024 10:52:27.888819933 CEST	192.168.2.4	1.1.1.1	0x1f88	Standard query (0)	twinks234.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 25, 2024 10:52:35.458952904 CEST	192.168.2.4	1.1.1.1	0xa4e0	Standard query (0)	twinks234.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 25, 2024 10:48:55.953551054 CEST	1.1.1.1	192.168.2.4	0xb509	Name error (3)	twinks234.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Apr 25, 2024 10:49:09.271899939 CEST	1.1.1.1	192.168.2.4	0x69b4	Name error (3)	twinks234.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Apr 25, 2024 10:50:04.330130100 CEST	1.1.1.1	192.168.2.4	0x3a78	Name error (3)	twinks234.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Apr 25, 2024 10:50:17.847084045 CEST	1.1.1.1	192.168.2.4	0xb636	Name error (3)	twinks234.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Apr 25, 2024 10:50:23.002460957 CEST	1.1.1.1	192.168.2.4	0x80dc	Name error (3)	twinks234.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Apr 25, 2024 10:51:47.233153105 CEST	1.1.1.1	192.168.2.4	0x9a25	Name error (3)	twinks234.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Apr 25, 2024 10:52:28.031111956 CEST	1.1.1.1	192.168.2.4	0x1f88	Name error (3)	twinks234.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Apr 25, 2024 10:52:35.599688053 CEST	1.1.1.1	192.168.2.4	0xa4e0	Name error (3)	twinks234.duckdns.org	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

slscr.update.microsoft.com

self.events.data.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	52.165.165.26	443

Timestamp	Bytes transferred	Direction	Data
2024-04-25 08:47:49 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=dp3LT5UDBFGklVa&MD=ECx2K67C HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-04-25 08:47:49 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: b0e71776-0bd4-4ea6-9d26-7208b945f93c MS-RequestId: 383cb0a1-9f37-40d9-887d-ee42ee00ec4c MS-CV: 5dKKkv/7mUy4ElkH.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Thu, 25 Apr 2024 08:47:49 GMT Connection: close Content-Length: 24490
2024-04-25 08:47:49 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-04-25 08:47:49 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49743	52.165.165.26	443

Timestamp	Bytes transferred	Direction	Data
2024-04-25 08:48:29 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=dp3LT5UDBFGklVa&MD=ECx2K67C HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-04-25 08:48:29 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_2160" MS-CorrelationId: 549f4037-8c32-418c-b86d-760d162671f2 MS-RequestId: 925fdb06-43fc-43d5-81cc-9b1c9a057b4a MS-CV: 4YOtuEDO+0mte0Sw.0 X-Microsoft-SLSClientCache: 2160 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Thu, 25 Apr 2024 08:48:29 GMT Connection: close Content-Length: 25457
2024-04-25 08:48:29 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2024-04-25 08:48:29 UTC	9633	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.4	49772	20.42.65.94	443

Timestamp	Bytes transferred	Direction	Data
2024-04-25 08:52:24 UTC	828	OUT	POST /OneCollector/1.0/ HTTP/1.1 Accept: / APIKey: cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521 AuthMsaDeviceTicket: t=GwAWAbuEBAAU2qcZHJoKGNizGOeyqM4OaIoSZ0MOZgAAEJanOM/f8BEauEo6GRqguxLgAJt0LBh1uWaBD08sPTthnLouxyOeqq8UXC40zxYtXUeuLL3jc98oc4sgTt8Qg5RgpVyPUGOqQCdIMU+jHj5jPNgpCOYLzgjk7/68jQbYqRpL5buJGDaKHJUU4Qzi5sjC1iwUwrkBZLfklCNSWdGai+iykzR0ELnFD4lJb88vZch+TXuihcRzjbZvJG6mFONQPa3ignNQpsSbQgkMM4xuASI/kaIM+YTU5dBQE1SH8k0CwZj5Yc3H1S94NyGSn+DeuALqccEE8gt3uchW9hnkYs9tmlAQt7GBc9BBk/kSpz+oHgE=&p= Client-Id: NO_AUTH Content-Encoding: deflate Content-Type: application/bond-compact-binary Expect: 100-continue SDK-Version: EVT-Windows-C++-No-3.4.15.1 Upload-Time: 1714035143184 Host: self.events.data.microsoft.com Content-Length: 7974 Connection: Keep-Alive Cache-Control: no-cache
2024-04-25 08:52:24 UTC	7974	OUT	Data Raw: ed 7c 4b ac 5c 47 7a de a1 24 33 14 45 51 1c 49 a3 91 34 f2 88 26 34 93 91 d5 7d 53 ef 47 23 86 87 ba bc 33 e2 44 1c 2a bc 94 34 33 80 c1 9c ee 3e dd 7d c8 ee 3e 57 fd e0 43 f0 42 98 85 01 1b b1 11 1a 30 10 64 35 c8 22 b0 00 db 30 82 c9 22 5e 39 40 16 99 30 9b 20 4b 67 91 04 c8 c6 c8 c2 30 9c 6c 92 45 be aa 53 e7 9c ea e2 15 67 3c 18 08 1e 80 17 24 2f ff aa 3a f5 fc ff ef ff fe aa 3a e7 cd 27 f9 1e b9 2c ae 4e 26 e5 a8 b8 71 78 6f bd 29 16 e1 d7 3b 45 3e df cc ae 14 9b 7c 9c 6f f2 4b c5 6d 94 d8 af 96 eb 6a 5e 22 a1 18 7f f4 37 7f f9 d7 3f fa 9d 7f f7 af ff eb 17 3e bd 50 0d 46 63 c3 95 62 4a 51 3a 12 a3 3c cf cd 64 24 87 ac d0 cc 14 85 a1 e3 ff 7c f2 07 4f 3d f8 e2 e9 13 e5 99 0f ae dc c9 57 45 ef fc e5 e5 68 ef b7 4f d7 12 23 3d 9a 3d 78 e9 f4 89 ec c1 Data Ascii: \|K\Gz$3EQI4&4}SG#3D*43>}>WCB0d5"0"^9@0 Kg0lESg<$/::',N&qxo);E>\|oKmj^"7?>PFcbJQ:<d$\|O=WEhO#==x
2024-04-25 08:52:25 UTC	25	IN	HTTP/1.1 100 Continue
2024-04-25 08:52:25 UTC	443	IN	HTTP/1.1 200 OK Content-Length: 9 Content-Type: application/json Server: Microsoft-HTTPAPI/2.0 Strict-Transport-Security: max-age=31536000 time-delta-millis: 1876 Access-Control-Allow-Headers: time-delta-millis Access-Control-Allow-Methods: POST Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: * Access-Control-Expose-Headers: time-delta-millis Date: Thu, 25 Apr 2024 08:52:24 GMT Connection: close {"acc":4}

Target ID:	0
Start time:	10:47:29
Start date:	25/04/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Iu4csQ2rwX.msi"
Imagebase:	0x7ff601ed0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	10:47:29
Start date:	25/04/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff7699e0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	10:47:29
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 49FA398F3E264BE26A418C8408A7EA4A
Imagebase:	0x430000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	10:47:30
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Imagebase:	0x910000
File size:	29'696 bytes
MD5 hash:	2E49585E4E08565F52090B144062F97E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:47:30
Start date:	25/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:47:30
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\expand.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Imagebase:	0xd0000
File size:	53'248 bytes
MD5 hash:	544B0DBFF3F393BCE8BB9D815F532D51
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:47:30
Start date:	25/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:47:31
Start date:	25/04/2024
Path:	C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe"
Imagebase:	0x7c0000
File size:	1'289'216 bytes
MD5 hash:	6E7EBD37B6095CB1A2F3FFA9D5598C81
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000007.00000002.4721202096.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000007.00000000.1669483984.00000000007C2000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000007.00000000.1669483984.00000000007C2000.00000002.00000001.01000000.00000005.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000007.00000000.1669483984.00000000007C2000.00000002.00000001.01000000.00000005.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	6.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	58
Total number of Limit Nodes:	6

Executed Functions

Function 029F7C80 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 029F7CFE
GetCurrentThread.KERNEL32 ref: 029F7D3B
GetCurrentProcess.KERNEL32 ref: 029F7D78
GetCurrentThreadId.KERNEL32 ref: 029F7DD1

Memory Dump Source

Source File: 00000007.00000002.4721659468.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_29f0000_mafiachroom.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 45d29d906790a5fd665320101dc2242021ecd3633f3636222e7e8fd2d570af73
Instruction ID: a51891f713bb185ce8b9240f7ef7f9f619f8b344f2716e625d593f26daba166c
Opcode Fuzzy Hash: 45d29d906790a5fd665320101dc2242021ecd3633f3636222e7e8fd2d570af73
Instruction Fuzzy Hash: 035143B0900349CFDB54CFA9D548BEEFBF1AF48314F208459E519A72A0CB35A884CF65

Uniqueness

Uniqueness Score: -1.00%

Function 029F7C7A Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 029F7CFE
GetCurrentThread.KERNEL32 ref: 029F7D3B
GetCurrentProcess.KERNEL32 ref: 029F7D78
GetCurrentThreadId.KERNEL32 ref: 029F7DD1

Memory Dump Source

Source File: 00000007.00000002.4721659468.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_29f0000_mafiachroom.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 7b16995db174f6a8dabeaad0c3bc10a57caee70afe0ef27d096516f6442947fb
Instruction ID: 9557d37b2f0dc406dfe6fd3192e02611d74b43f87506813fbbb3d89bda5c0363
Opcode Fuzzy Hash: 7b16995db174f6a8dabeaad0c3bc10a57caee70afe0ef27d096516f6442947fb
Instruction Fuzzy Hash: 725143B0900349CFDB54CFA9D548BEEFBF1AF48314F20845AE519A72A0CB35A984CF65

Uniqueness

Uniqueness Score: -1.00%

Function 029F785C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,029F7E8E,?,?,?,?,?), ref: 029F7F4F

Memory Dump Source

Source File: 00000007.00000002.4721659468.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_29f0000_mafiachroom.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a3b24e10c6efd6fee7eaceb9f00257b95e72af07194a7a152bc8f6691ba67619
Instruction ID: 6a8e5047d39a755026639adc9ab5054d309c52a4251e1aa5bd2ad21834ce3271
Opcode Fuzzy Hash: a3b24e10c6efd6fee7eaceb9f00257b95e72af07194a7a152bc8f6691ba67619
Instruction Fuzzy Hash: AF2105B5900208EFDB50CF99D984ADEFFF4EB48320F14801AE958A7310D374A940CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 029F7EC0 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,029F7E8E,?,?,?,?,?), ref: 029F7F4F

Memory Dump Source

Source File: 00000007.00000002.4721659468.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_29f0000_mafiachroom.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9aae9dfa3dc0de8791984d6d784217a03eba69a922205352ed0c23325171e9d7
Instruction ID: 1a366587cc05fb09cb9bdca3e524c636dfeebb535c137832686871ac4a2d84d5
Opcode Fuzzy Hash: 9aae9dfa3dc0de8791984d6d784217a03eba69a922205352ed0c23325171e9d7
Instruction Fuzzy Hash: 4021E3B5D00258DFDB10CFA9D984ADEBBF4EB48324F14801AE958A7310D374A950CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 029F29C3 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 029F2A43

Memory Dump Source

Source File: 00000007.00000002.4721659468.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_29f0000_mafiachroom.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 2603b90c1b77bdd9b99872a5f1b86c26028d94bbb91aa4a94715cd0805839d19
Instruction ID: f1ae6b5f479cf988de0d51538bf0c2cede08e348803bf1647e538190de15fc06
Opcode Fuzzy Hash: 2603b90c1b77bdd9b99872a5f1b86c26028d94bbb91aa4a94715cd0805839d19
Instruction Fuzzy Hash: C12135B1D002099FDB54DFA9C844BDEFBF5EB88324F148429D458A7250C774A940CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 029F29C8 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 029F2A43

Memory Dump Source

Source File: 00000007.00000002.4721659468.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_29f0000_mafiachroom.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 6e03dfd290b90f9af8ba924fa368616cb25fb8b9b21c2ad5b54c2b88a074a7ee
Instruction ID: c58136a29f7a62ce762b1fe15f88a6be6d09d849b5a55f6c92cf825ddfef4dd9
Opcode Fuzzy Hash: 6e03dfd290b90f9af8ba924fa368616cb25fb8b9b21c2ad5b54c2b88a074a7ee
Instruction Fuzzy Hash: 182135B1D002099FDB54DF99C844BDEFBF4AB88324F108429D458A7250C774A940CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 029FD368 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(0000004B), ref: 029FD3DD

Memory Dump Source

Source File: 00000007.00000002.4721659468.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_29f0000_mafiachroom.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 478fa80e2ece88238dcb6d27c464f52187a30d6a639c728cd174177d88bba4ff
Instruction ID: b48d665e27b531663950a29ba3474c8071557e85b1219381aead3e2f8ceae90a
Opcode Fuzzy Hash: 478fa80e2ece88238dcb6d27c464f52187a30d6a639c728cd174177d88bba4ff
Instruction Fuzzy Hash: 2711A9758043898ACB10CF99D9063EEBFF4AB05324F18805AE584A3281C778AA44CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0137D3B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4721492874.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_137d000_mafiachroom.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce29d16a444d408bc73b7dd42741149030226440910affea18099bd32d8200a4
Instruction ID: 6374591c26ab59b5d85524210c5599f223225b096ef5a9b973c1b2d6fd309c6a
Opcode Fuzzy Hash: ce29d16a444d408bc73b7dd42741149030226440910affea18099bd32d8200a4
Instruction Fuzzy Hash: 762145B1500204EFDB21DF58D9C0B66BF65FF88328F20C169E8091B656C73AE446C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0138D0FC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4721521530.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_138d000_mafiachroom.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6873b187699cd8a39eb93d093f9ed5828e86566bab37412926bde3218a7740a5
Instruction ID: 5db5fae831d5ee304ee522c7c999861fe74139cbb846264699579c1f44111add
Opcode Fuzzy Hash: 6873b187699cd8a39eb93d093f9ed5828e86566bab37412926bde3218a7740a5
Instruction Fuzzy Hash: 3D210471504304EFDB45EF58D9C4B26BBA5FF88318F20C56DD80A4B296C73AD446CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0137D3AF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4721492874.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_137d000_mafiachroom.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: e84c33c8570341c9940b8f89567a2cfe4073950b37b4a6aa80bc703751cbc665
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 8311EE72404280CFCB12CF54D9C4B56BF72FF84328F24C6A9D8490B656C33AE45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0138D0F7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4721521530.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_138d000_mafiachroom.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 839847d8b8b3443be57b0803e95191452638c7e0a902ff1fad243e6f84e87294
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 5911BB75504380DFDB06DF54D9C4B15BFA1FB84218F24C6AAD8094B296C33AD44ACB61

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 029FE048 Relevance: .7, Instructions: 662COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4721659468.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_29f0000_mafiachroom.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61a8bbee9af54e39457bab50de75905475c1159752bb4bc3ff92883d0042d413
Instruction ID: 4279fa16ec3c39e14aea80561e1bec7f579acb712ef9441c6c805c652881f6d4
Opcode Fuzzy Hash: 61a8bbee9af54e39457bab50de75905475c1159752bb4bc3ff92883d0042d413
Instruction Fuzzy Hash: 99527C31A00619CFCB95CF64C880BAEB7B6FF44304F5588A9EA59AB261D770FD85CB50

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Process: Process Creation, Service: Service Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Iu4csQ2rwX.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files.cab

C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\19846695766e49c9ae2db4b896af4d3a$dpx$.tmp\d6568875baf18047a674d73da59f1fb3.tmp

C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe (copy)

C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\msiwrapper.ini

C:\Windows\Installer\6c70ae.msi

C:\Windows\Installer\MSI7206.tmp

C:\Windows\Installer\SourceHash{BE13E8ED-EE1E-41EA-93EE-21B2B781511E}

C:\Windows\Installer\inprogressinstallinfo.ipi

C:\Windows\Logs\DPX\setupact.log

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

C:\Windows\Temp\~DF5089C8F6485DBCAD.TMP

C:\Windows\Temp\~DFEEBD6A38A1E19B64.TMP

\Device\ConDrv

Windows Analysis Report
Iu4csQ2rwX.msi

Function 029F7C80 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 029F7C7A Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 029F785C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 029F7EC0 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 029F29C3 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Function 029F29C8 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Function 029FD368 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON