Analysis
-
max time kernel
299s -
max time network
335s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
20-08-2023 20:23
General
-
Target
Infected.exe
-
Size
63KB
-
MD5
45e26c322dba6a6eecced041efb55e9b
-
SHA1
0762521b60d9a56c5a3219e4bbeeffdc3454edba
-
SHA256
c41f14d142a0afb87f747243818ea6838b8d7b000e22cd488d759594e1e2290a
-
SHA512
1fd55bc8c8e83bededae62c83010d6a164f6ad29a65839e464d17c67fd1a25a63f9192609c974a467550a93d310a182686b48bc91d00ab3d2f0b22eb9bff5c62
-
SSDEEP
768:yfLDqQkNP78i3C8A+XOSazcBRL5JTk1+T4KSBGHmDbD/ph0oXR05CuajaSucdpqM:WmNvVdSJYUbdh9RruYucdpqKmY7
Malware Config
Extracted
asyncrat
Default
Kaught-36793.portmap.host:1194
Kaught-36793.portmap.host:53088
Kaught-53088.portmap.host:1194
Kaught-53088.portmap.host:53088
Ι7IEيHCΓΔFשΔHxn1wGx
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Async RAT payload 1 IoCs
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 5 IoCs
-
Modifies Internet Explorer settings 1 TTPs 10 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
-
Suspicious use of FindShellTrayWindow 49 IoCs
-
Suspicious use of SendNotifyMessage 21 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 35 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Infected.exe"C:\Users\Admin\AppData\Local\Temp\Infected.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\akfbfq.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\akfbfq.exe"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\akfbfq.exe"C:\Users\Admin\AppData\Local\Temp\akfbfq.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"5⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" AnarchyHVNC Kaught-53088.portmap.host 53088 02ctEO5⤵
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\hgsbhp.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\hgsbhp.exe"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hgsbhp.exe"C:\Users\Admin\AppData\Local\Temp\hgsbhp.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"5⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" AnarchyHVNC Kaught-53088.portmap.host 53088 02ctEO5⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" AnarchyHVNC Kaught-53088.portmap.host 53088 02ctEO5⤵
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\mdnziq.exe"' & exit2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\mdnziq.exe"'3⤵
-
C:\Users\Admin\AppData\Local\Temp\mdnziq.exe"C:\Users\Admin\AppData\Local\Temp\mdnziq.exe"4⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"5⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" AnarchyHVNC Kaught-53088.portmap.host 53088 02ctEO5⤵
-
-
-
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2972 -s 39722⤵
- Program crash
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 188 -p 2972 -ip 29721⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3900 -s 39802⤵
- Program crash
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 532 -p 3900 -ip 39001⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2208 -s 35762⤵
- Program crash
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 484 -p 2208 -ip 22081⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4636 -s 35362⤵
- Program crash
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 496 -p 4636 -ip 46361⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4508 -s 35322⤵
- Program crash
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 464 -p 4508 -ip 45081⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
64B
MD5feadc4e1a70c13480ef147aca0c47bc0
SHA1d7a5084c93842a290b24dacec0cd3904c2266819
SHA2565b4f1fe7ba74b245b6368dbe4ceffa438f14eef08ba270e9a13c57505c7717ac
SHA512c9681a19c773891808fefa9445cea598d118c83bba89530a51ab993adbff39bce72b43f8e99d0c68e4a44f7e0f4c8ec128641c45cd557a8e1215721d5d992a23
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
97B
MD575fdba27ae111f9312c9b243a5e22d02
SHA10bbbf13546b05600dbeb285609adcff5e12c2e24
SHA25662198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89
SHA512855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c
-
Filesize
97B
MD575fdba27ae111f9312c9b243a5e22d02
SHA10bbbf13546b05600dbeb285609adcff5e12c2e24
SHA25662198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89
SHA512855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c
-
Filesize
97B
MD575fdba27ae111f9312c9b243a5e22d02
SHA10bbbf13546b05600dbeb285609adcff5e12c2e24
SHA25662198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89
SHA512855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c
-
Filesize
97B
MD575fdba27ae111f9312c9b243a5e22d02
SHA10bbbf13546b05600dbeb285609adcff5e12c2e24
SHA25662198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89
SHA512855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
61KB
MD5586bb280453a83a66810d39b864741a5
SHA19a558f0e81d23dcc5a29bc91ad01705d4d14a315
SHA256c0dce08bd4627e194c99f789cfcf4037aed30635bea7f4761e570f55f448acb3
SHA512364275f7ac96802c5ac67c849aff8c20845e85e196fdc219a104a8d8b86ca08fb753ab9abd31675cb119a986d93241d0066ae21f16a78f4907e366dabfe4b094
-
Filesize
61KB
MD5586bb280453a83a66810d39b864741a5
SHA19a558f0e81d23dcc5a29bc91ad01705d4d14a315
SHA256c0dce08bd4627e194c99f789cfcf4037aed30635bea7f4761e570f55f448acb3
SHA512364275f7ac96802c5ac67c849aff8c20845e85e196fdc219a104a8d8b86ca08fb753ab9abd31675cb119a986d93241d0066ae21f16a78f4907e366dabfe4b094
-
Filesize
61KB
MD5586bb280453a83a66810d39b864741a5
SHA19a558f0e81d23dcc5a29bc91ad01705d4d14a315
SHA256c0dce08bd4627e194c99f789cfcf4037aed30635bea7f4761e570f55f448acb3
SHA512364275f7ac96802c5ac67c849aff8c20845e85e196fdc219a104a8d8b86ca08fb753ab9abd31675cb119a986d93241d0066ae21f16a78f4907e366dabfe4b094
-
Filesize
61KB
MD5586bb280453a83a66810d39b864741a5
SHA19a558f0e81d23dcc5a29bc91ad01705d4d14a315
SHA256c0dce08bd4627e194c99f789cfcf4037aed30635bea7f4761e570f55f448acb3
SHA512364275f7ac96802c5ac67c849aff8c20845e85e196fdc219a104a8d8b86ca08fb753ab9abd31675cb119a986d93241d0066ae21f16a78f4907e366dabfe4b094
-
Filesize
61KB
MD5586bb280453a83a66810d39b864741a5
SHA19a558f0e81d23dcc5a29bc91ad01705d4d14a315
SHA256c0dce08bd4627e194c99f789cfcf4037aed30635bea7f4761e570f55f448acb3
SHA512364275f7ac96802c5ac67c849aff8c20845e85e196fdc219a104a8d8b86ca08fb753ab9abd31675cb119a986d93241d0066ae21f16a78f4907e366dabfe4b094
-
Filesize
61KB
MD5586bb280453a83a66810d39b864741a5
SHA19a558f0e81d23dcc5a29bc91ad01705d4d14a315
SHA256c0dce08bd4627e194c99f789cfcf4037aed30635bea7f4761e570f55f448acb3
SHA512364275f7ac96802c5ac67c849aff8c20845e85e196fdc219a104a8d8b86ca08fb753ab9abd31675cb119a986d93241d0066ae21f16a78f4907e366dabfe4b094
-
Filesize
10B
MD53635bdb50b7239aac915a84e447b88f6
SHA12969f5ff805fc4540da053e77c264281af65d2d5
SHA256471f9d5bb2d5289b0168d419aa621f4ff1f630cfed5725a12b343483576c7c57
SHA512ab2ef96d646083edf0cb616b5cb2462bf313aea0a827718449c1ca3bb11c0eb9c0a637c75cd1c73101b96fad07631f048d5327ab9d6f735063ce2d6acd7f55f1
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
88KB
-
Filesize
584KB
-
Filesize
624KB
-
Filesize
64KB
-
Filesize
5.6MB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
128KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
10.8MB
-
Filesize
2.0MB
-
Filesize
10.8MB
-
Filesize
120KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
2.0MB
-
Filesize
472KB
-
Filesize
64KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB