Overview

overview

10

Static

static

3

hkcmd.exe

windows7-x64

10

hkcmd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    124s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-06-2023 14:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    hkcmd.exe

  • Size

    691KB

  • MD5

    dd505f7c59aa2882633c01034428e952

  • SHA1

    12ffe4b71bdda14909f5d88301597f9cdf75ff94

  • SHA256

    de1b9f6d4bf9909be6073eb4bb16b724a824e3d3d75baef2cfee19f538c79c7e

  • SHA512

    3c79eb968ce299b91d1c456f52c3a6cd2bfd75ae6ac8f6e35c56800e3d2e3f2ceec0e95545cb7cb6c6305e2a26ff1b681c65dd3470f1e9d16b8726e9c223ebd0

  • SSDEEP

    12288:SrgDkO3hHlWxMzIHREJVk/bq4izoW/m7GloyLwo6s7pSCpCETtwpkZQ6b98I:SMA4hHlWxMiQW/O4ue7koUos1JpfhkX4

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

191.101.130.205:6606

191.101.130.205:7707

191.101.130.205:8808
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\hkcmd.exe
    "C:\Users\Admin\AppData\Local\Temp\hkcmd.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1052
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\RjBtcy.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1640
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RjBtcy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp540.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3968
    • C:\Users\Admin\AppData\Local\Temp\hkcmd.exe
      "C:\Users\Admin\AppData\Local\Temp\hkcmd.exe"
      2⤵
        PID:3164

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hkcmd.exe.log
      Filesize

      1KB

      MD5

      33d62ef2c354f839a8b2b987e6ee41e7

      SHA1

      d76f64ac411a61f3f232f7f9f7b179bd34042226

      SHA256

      f6a84062cb11ccf802324692c2c4c48543377cf717d98efd5de695ed6d0a97d9

      SHA512

      d68a426b2f4646bb45e2267d60680166a8effb9a461e5a07756ba13a3bdf36b27e6e9777d945d03a62362e6976e92214c53ffc7c4f03ec28d3fcfc9a442c5e3c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kjczlq0g.hlp.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp540.tmp
      Filesize

      1KB

      MD5

      dcafef379a5683d29779e9f7caa8bf5a

      SHA1

      712b4b099f3c486af559bdc192356b608e544168

      SHA256

      cc8ee15e7321cca25b9811423ab6fdd02c39e074708f435d55ee5747c9d2136b

      SHA512

      72cac29446695cc17a52c49702bd6c47c41970a5783a4ff5215cd7daa07d0d39ddd327b8a0511b55e62076140c1aa64bc2de9b2669d3bd9b399b20fe21030c4c

      Download Submit
    • memory/1052-134-0x00000000053E0000-0x0000000005984000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1052-135-0x0000000004E30000-0x0000000004EC2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1052-136-0x0000000004DC0000-0x0000000004DCA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1052-137-0x0000000005030000-0x0000000005040000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1052-138-0x0000000005030000-0x0000000005040000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1052-139-0x0000000007D70000-0x0000000007E0C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/1052-133-0x0000000000360000-0x0000000000412000-memory.dmp
      Filesize

      712KB

      Download
    • memory/1640-162-0x0000000002940000-0x0000000002950000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1640-176-0x00000000067B0000-0x00000000067CE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/1640-150-0x0000000005120000-0x0000000005142000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1640-151-0x00000000052D0000-0x0000000005336000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1640-186-0x0000000007830000-0x0000000007838000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1640-157-0x0000000005BE0000-0x0000000005C46000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1640-145-0x00000000028E0000-0x0000000002916000-memory.dmp
      Filesize

      216KB

      Download
    • memory/1640-163-0x0000000002940000-0x0000000002950000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1640-164-0x0000000006200000-0x000000000621E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/1640-165-0x00000000067D0000-0x0000000006802000-memory.dmp
      Filesize

      200KB

      Download
    • memory/1640-166-0x0000000071630000-0x000000007167C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1640-149-0x0000000005440000-0x0000000005A68000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/1640-177-0x0000000002940000-0x0000000002950000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1640-178-0x000000007F3C0000-0x000000007F3D0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1640-179-0x0000000007B50000-0x00000000081CA000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/1640-180-0x0000000007510000-0x000000000752A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/1640-181-0x0000000007580000-0x000000000758A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1640-182-0x0000000007790000-0x0000000007826000-memory.dmp
      Filesize

      600KB

      Download
    • memory/1640-185-0x0000000007850000-0x000000000786A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/1640-184-0x0000000007740000-0x000000000774E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/3164-183-0x0000000004F70000-0x0000000004F80000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3164-146-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3164-189-0x0000000004F70000-0x0000000004F80000-memory.dmp
      Filesize

      64KB

      Download