Analysis Overview
SHA256
35bc2054162c7288b55caecc386d129b5b03e2a97985f659913338195be78491
Threat Level: Known bad
The file 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Async RAT payload
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-05-05 01:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-05-05 01:26
Reported
2023-05-05 01:29
Platform
win7-20230220-en
Max time kernel
59s
Max time network
137s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\microsafte.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\microsafte.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe
"C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /ru system /rl highest /tn 35BC2054162C7288B55CAECC386D129B5B03E2A97985F /tr '"C:\Users\Admin\AppData\Roaming\microsafte.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpABF9.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /ru system /rl highest /tn 35BC2054162C7288B55CAECC386D129B5B03E2A97985F /tr '"C:\Users\Admin\AppData\Roaming\microsafte.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\microsafte.exe
"C:\Users\Admin\AppData\Roaming\microsafte.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | seznam.zapto.org | udp |
| NL | 91.109.178.2:6606 | seznam.zapto.org | tcp |
Files
memory/1240-54-0x0000000000280000-0x0000000000368000-memory.dmp
memory/1240-55-0x0000000000370000-0x0000000000382000-memory.dmp
memory/1240-56-0x0000000004A10000-0x0000000004A50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpABF9.tmp.bat
| MD5 | 47d6f66c4cb05a3cfa0971179dd19972 |
| SHA1 | 8fec647f8c206a4bc41d1780b92010d7f97b903c |
| SHA256 | 36af6bddcf9cfb0147f47da5f7a9dbf4d5ffe7e1bee8d3af34fb7be1303d2fce |
| SHA512 | d89a68be09075545f31cc3f9acf10e5acfb1f8b70ee50184d3dff16e5d664a790543453f1f7e50596401c2802f4e6b912da037b785d7d1c95949a1d2ace31997 |
C:\Users\Admin\AppData\Local\Temp\tmpABF9.tmp.bat
| MD5 | 47d6f66c4cb05a3cfa0971179dd19972 |
| SHA1 | 8fec647f8c206a4bc41d1780b92010d7f97b903c |
| SHA256 | 36af6bddcf9cfb0147f47da5f7a9dbf4d5ffe7e1bee8d3af34fb7be1303d2fce |
| SHA512 | d89a68be09075545f31cc3f9acf10e5acfb1f8b70ee50184d3dff16e5d664a790543453f1f7e50596401c2802f4e6b912da037b785d7d1c95949a1d2ace31997 |
\Users\Admin\AppData\Roaming\microsafte.exe
| MD5 | c011326ff5f864290617144c3dddcc88 |
| SHA1 | 257d10e95aeec5d8c63e4d1369c5cbf244568bf7 |
| SHA256 | 35bc2054162c7288b55caecc386d129b5b03e2a97985f659913338195be78491 |
| SHA512 | 894e43a4265c396b0721ea3fb99991047cc33aa36fc9f2f8fb47c5f66813a8226589b8ed045a1edc2279654cf3b933f413a434cf42f1fcd11f52ff3d6bd2a07a |
C:\Users\Admin\AppData\Roaming\microsafte.exe
| MD5 | c011326ff5f864290617144c3dddcc88 |
| SHA1 | 257d10e95aeec5d8c63e4d1369c5cbf244568bf7 |
| SHA256 | 35bc2054162c7288b55caecc386d129b5b03e2a97985f659913338195be78491 |
| SHA512 | 894e43a4265c396b0721ea3fb99991047cc33aa36fc9f2f8fb47c5f66813a8226589b8ed045a1edc2279654cf3b933f413a434cf42f1fcd11f52ff3d6bd2a07a |
C:\Users\Admin\AppData\Roaming\microsafte.exe
| MD5 | c011326ff5f864290617144c3dddcc88 |
| SHA1 | 257d10e95aeec5d8c63e4d1369c5cbf244568bf7 |
| SHA256 | 35bc2054162c7288b55caecc386d129b5b03e2a97985f659913338195be78491 |
| SHA512 | 894e43a4265c396b0721ea3fb99991047cc33aa36fc9f2f8fb47c5f66813a8226589b8ed045a1edc2279654cf3b933f413a434cf42f1fcd11f52ff3d6bd2a07a |
memory/432-69-0x0000000000C20000-0x0000000000D08000-memory.dmp
memory/432-70-0x0000000004850000-0x0000000004890000-memory.dmp
memory/432-88-0x0000000004850000-0x0000000004890000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-05-05 01:26
Reported
2023-05-05 01:29
Platform
win10v2004-20230220-en
Max time kernel
135s
Max time network
152s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\microsafte.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\microsafte.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe
"C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /ru system /rl highest /tn 35BC2054162C7288B55CAECC386D129B5B03E2A97985F /tr '"C:\Users\Admin\AppData\Roaming\microsafte.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC009.tmp.bat""
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /ru system /rl highest /tn 35BC2054162C7288B55CAECC386D129B5B03E2A97985F /tr '"C:\Users\Admin\AppData\Roaming\microsafte.exe"'
C:\Users\Admin\AppData\Roaming\microsafte.exe
"C:\Users\Admin\AppData\Roaming\microsafte.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 104.208.16.89:443 | tcp | |
| US | 8.8.8.8:53 | milla.publicvm.com | udp |
| NL | 91.109.178.2:8808 | milla.publicvm.com | tcp |
| US | 8.8.8.8:53 | 2.178.109.91.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| US | 209.197.3.8:80 | tcp |
Files
memory/3628-133-0x0000000000C00000-0x0000000000CE8000-memory.dmp
memory/3628-134-0x0000000005C40000-0x00000000061E4000-memory.dmp
memory/3628-135-0x0000000005730000-0x00000000057C2000-memory.dmp
memory/3628-136-0x00000000057D0000-0x000000000586C000-memory.dmp
memory/3628-137-0x0000000005960000-0x0000000005970000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpC009.tmp.bat
| MD5 | 26976e8e5aefac0a1bf0c90b8c471069 |
| SHA1 | e43de325e4c9b4f82fb512b8a8857c5dcee557c3 |
| SHA256 | 8b5b78b519db60af171a76229361b14e67e6d6280ab450f154f439759ed9f1f8 |
| SHA512 | f4cd1b31ea5cd8c1d5d872580a064f6cec31eec87ea0eaef013090e210ddc96c481dbb6ff521c817933dac3db6c1a44b620de9422c664505ce4cd5daf402bad6 |
C:\Users\Admin\AppData\Roaming\microsafte.exe
| MD5 | c011326ff5f864290617144c3dddcc88 |
| SHA1 | 257d10e95aeec5d8c63e4d1369c5cbf244568bf7 |
| SHA256 | 35bc2054162c7288b55caecc386d129b5b03e2a97985f659913338195be78491 |
| SHA512 | 894e43a4265c396b0721ea3fb99991047cc33aa36fc9f2f8fb47c5f66813a8226589b8ed045a1edc2279654cf3b933f413a434cf42f1fcd11f52ff3d6bd2a07a |
C:\Users\Admin\AppData\Roaming\microsafte.exe
| MD5 | c011326ff5f864290617144c3dddcc88 |
| SHA1 | 257d10e95aeec5d8c63e4d1369c5cbf244568bf7 |
| SHA256 | 35bc2054162c7288b55caecc386d129b5b03e2a97985f659913338195be78491 |
| SHA512 | 894e43a4265c396b0721ea3fb99991047cc33aa36fc9f2f8fb47c5f66813a8226589b8ed045a1edc2279654cf3b933f413a434cf42f1fcd11f52ff3d6bd2a07a |
memory/208-146-0x0000000005890000-0x00000000058A0000-memory.dmp
memory/208-147-0x00000000065F0000-0x0000000006656000-memory.dmp
memory/208-148-0x0000000005890000-0x00000000058A0000-memory.dmp