Analysis Overview
SHA256
7e99509d08819ab9c8e1e4dd16bd0e55060c63d6a71751848b2643c95647a77a
Threat Level: Known bad
The file c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.zip was found to be: Known bad.
Malicious Activity Summary
Async RAT payload
AsyncRat
Asyncrat family
Async RAT payload
Checks computer location settings
Executes dropped EXE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Uses Task Scheduler COM API
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-03-21 13:26
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-21 13:26
Reported
2023-03-21 13:28
Platform
win7-20230220-en
Max time kernel
136s
Max time network
156s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft Services.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft Services.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe
"C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Services" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Services.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Services" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Services.exe"'
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpEEA4.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\Microsoft Services.exe
"C:\Users\Admin\AppData\Roaming\Microsoft Services.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | thebest39393.ddns.net | udp |
| US | 99.114.251.177:8809 | thebest39393.ddns.net | tcp |
| US | 99.114.251.177:8809 | thebest39393.ddns.net | tcp |
| US | 99.114.251.177:8809 | thebest39393.ddns.net | tcp |
| US | 8.8.8.8:53 | thebest39393.ddns.net | udp |
| US | 99.114.251.177:8809 | thebest39393.ddns.net | tcp |
Files
memory/1196-54-0x00000000001B0000-0x00000000001C2000-memory.dmp
memory/1196-55-0x000000001B220000-0x000000001B2A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpEEA4.tmp.bat
| MD5 | a0c4dbd8171b25def4dd6b440110a194 |
| SHA1 | ff5fa174fa1fd86cd101c4e58cfd81d0d0d06d62 |
| SHA256 | 4dc0db246e42c8343404587ea61b7857f86aa87e287aa8f2f00ea909d7624714 |
| SHA512 | be7c082fadc57ed2edc7fcc879d053dbd39f543b395f63a88695923be04cd6cd6f29cdb0c1d3bb947967d021434e4ebe24b3f34b733bec9bd12b7db58a435716 |
C:\Users\Admin\AppData\Local\Temp\tmpEEA4.tmp.bat
| MD5 | a0c4dbd8171b25def4dd6b440110a194 |
| SHA1 | ff5fa174fa1fd86cd101c4e58cfd81d0d0d06d62 |
| SHA256 | 4dc0db246e42c8343404587ea61b7857f86aa87e287aa8f2f00ea909d7624714 |
| SHA512 | be7c082fadc57ed2edc7fcc879d053dbd39f543b395f63a88695923be04cd6cd6f29cdb0c1d3bb947967d021434e4ebe24b3f34b733bec9bd12b7db58a435716 |
C:\Users\Admin\AppData\Roaming\Microsoft Services.exe
| MD5 | 0c2353b8b6923a16f523944d6514bb8f |
| SHA1 | d66baa60bcfbc057466b3ca0ef3076c5fd02210b |
| SHA256 | c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3 |
| SHA512 | 857a0dbf2cd41349d72df6a68ad4743bd1d0b2cbdf245be4e3abda10e0323678beb5d0b78ebd968db751a3de58b924e792f64cc6ca1e7b0f27b42869179c979d |
C:\Users\Admin\AppData\Roaming\Microsoft Services.exe
| MD5 | 0c2353b8b6923a16f523944d6514bb8f |
| SHA1 | d66baa60bcfbc057466b3ca0ef3076c5fd02210b |
| SHA256 | c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3 |
| SHA512 | 857a0dbf2cd41349d72df6a68ad4743bd1d0b2cbdf245be4e3abda10e0323678beb5d0b78ebd968db751a3de58b924e792f64cc6ca1e7b0f27b42869179c979d |
memory/1388-68-0x0000000000BA0000-0x0000000000BB2000-memory.dmp
memory/1388-69-0x0000000000420000-0x00000000004A0000-memory.dmp
memory/1388-70-0x0000000000420000-0x00000000004A0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-03-21 13:26
Reported
2023-03-21 13:28
Platform
win10v2004-20230220-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft Services.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft Services.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe
"C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Services" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Services.exe"' & exit
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBDA7.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Services" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Services.exe"'
C:\Users\Admin\AppData\Roaming\Microsoft Services.exe
"C:\Users\Admin\AppData\Roaming\Microsoft Services.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.25.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.18.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.81.184.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | thebest39393.ddns.net | udp |
| US | 99.114.251.177:8809 | thebest39393.ddns.net | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.74.101.95.in-addr.arpa | udp |
| US | 20.189.173.2:443 | tcp | |
| N/A | 127.0.0.1:8809 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| N/A | 127.0.0.1:8809 | tcp | |
| N/A | 127.0.0.1:8809 | tcp | |
| US | 8.8.8.8:53 | 0.77.109.52.in-addr.arpa | udp |
| US | 99.114.251.177:8809 | thebest39393.ddns.net | tcp |
| US | 13.107.4.50:80 | tcp | |
| US | 8.8.8.8:53 | thebest39393.ddns.net | udp |
| US | 99.114.251.177:8809 | thebest39393.ddns.net | tcp |
| N/A | 127.0.0.1:8809 | tcp | |
| US | 99.114.251.177:8809 | thebest39393.ddns.net | tcp |
| N/A | 127.0.0.1:8809 | tcp | |
| US | 8.8.8.8:53 | thebest39393.ddns.net | udp |
| US | 99.114.251.177:8809 | thebest39393.ddns.net | tcp |
Files
memory/2052-136-0x00000000005A0000-0x00000000005B2000-memory.dmp
memory/2052-137-0x000000001BE80000-0x000000001BE90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpBDA7.tmp.bat
| MD5 | e9ac326b90f8604cb605f2738f65d4aa |
| SHA1 | ab04adf8952896c26b5357e3ceae171122b73e09 |
| SHA256 | acc308780881e334770db26194bbf8949b18121e5c0b9eb785d579c22bc07bdf |
| SHA512 | 31a4a711c2dc97e77c4cd2afd83a5820e2bada62dafe971cab9e7346665503c6938e19ca828d6c5fcf7839809bb4608ce8825d8b2175ab4b5e690b203868c0d6 |
C:\Users\Admin\AppData\Roaming\Microsoft Services.exe
| MD5 | 0c2353b8b6923a16f523944d6514bb8f |
| SHA1 | d66baa60bcfbc057466b3ca0ef3076c5fd02210b |
| SHA256 | c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3 |
| SHA512 | 857a0dbf2cd41349d72df6a68ad4743bd1d0b2cbdf245be4e3abda10e0323678beb5d0b78ebd968db751a3de58b924e792f64cc6ca1e7b0f27b42869179c979d |
C:\Users\Admin\AppData\Roaming\Microsoft Services.exe
| MD5 | 0c2353b8b6923a16f523944d6514bb8f |
| SHA1 | d66baa60bcfbc057466b3ca0ef3076c5fd02210b |
| SHA256 | c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3 |
| SHA512 | 857a0dbf2cd41349d72df6a68ad4743bd1d0b2cbdf245be4e3abda10e0323678beb5d0b78ebd968db751a3de58b924e792f64cc6ca1e7b0f27b42869179c979d |
memory/3284-146-0x000000001BBC0000-0x000000001BBD0000-memory.dmp
memory/3284-147-0x000000001BBC0000-0x000000001BBD0000-memory.dmp