Overview

overview

10

Static

static

10

fnexternal.exe

windows7-x64

10

fnexternal.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-10-2023 23:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fnexternal.exe

  • Size

    47KB

  • MD5

    0baac525ab667acc805e5fc39365677d

  • SHA1

    bdbf2f2896c5f611bf05d511ae5df283fd4d5075

  • SHA256

    dc80f45af1fbb5cdad109756841f7668bb5c7688c14434892f8d53c9c64729d5

  • SHA512

    f37354cb81e09257926406b02d680387a004886a906b2e7319e6eec25e1e62cc1fd93cb6f27fe1781527613ac329fad25f1a38b9785c4dc685fa142cbeed5cf4

  • SSDEEP

    768:zUSRUbDILQe08+bi7EQ8iZ/8Yb+g9dm546VYvEgK/J3ZVc6KN:oS8ErzbBamnkJ3ZVclN

Score
10/10
asyncratdefaultpersistencerat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

127.0.0.1:8848

127.0.0.1:52364

199.36.223.62:8848

199.36.223.62:52364
Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    true

  • install_file

    ..exe

  • install_folder

    %Temp%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 5 IoCs
    rat
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 4 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 18 IoCs
  • Modifies registry class 25 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 35 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\fnexternal.exe
    "C:\Users\Admin\AppData\Local\Temp\fnexternal.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1832
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "." /tr '"C:\Users\Admin\AppData\Local\Temp\..exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:636
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "." /tr '"C:\Users\Admin\AppData\Local\Temp\..exe"'
        3⤵
        • Creates scheduled task(s)
        PID:4948
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7520.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4564
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:1780
      • C:\Users\Admin\AppData\Local\Temp\..exe
        "C:\Users\Admin\AppData\Local\Temp\..exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3100
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
    1⤵
      PID:3860
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k UnistackSvcGroup
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3920
    • C:\Windows\system32\dwm.exe
      "dwm.exe"
      1⤵
      • Checks SCSI registry key(s)
      • Enumerates system info in registry
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:208
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
      • Modifies registry class
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Windows\explorer.exe
        explorer.exe /LOADSAVEDWINDOWS
        2⤵
        • Modifies registry class
        PID:1152
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:1224
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
      1⤵
        PID:4092
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
          PID:4036
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Modifies Installed Components in the registry
          • Enumerates connected drives
          • Checks SCSI registry key(s)
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          PID:3480
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
            PID:4728
          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
              PID:220
            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
                PID:4684
              • C:\Windows\system32\sihost.exe
                sihost.exe
                1⤵
                  PID:3332
                • C:\Windows\system32\sihost.exe
                  sihost.exe
                  1⤵
                    PID:4388
                  • C:\Windows\system32\sihost.exe
                    sihost.exe
                    1⤵
                      PID:4844
                    • C:\Windows\system32\sihost.exe
                      sihost.exe
                      1⤵
                        PID:3736
                      • C:\Windows\system32\sihost.exe
                        sihost.exe
                        1⤵
                          PID:636

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
                          Filesize

                          471B

                          MD5

                          6ddb1d9f924c0dff7f8df6a073bc8eaa

                          SHA1

                          8b35715938ca3c18a2e368ea035508d9ac0f7a1a

                          SHA256

                          ecac725e28fa74e59ae3a1327c8dec9d01d53818e4261d9f22145e7f0b06f3b0

                          SHA512

                          f09b130b3feeff4faa1ef47e94ca8228bca5e09b34b44c546982765858657becbf54b485b9fb8f48d4d57cecece2bae078fef2d6d4b5af92f0b1277d71e06475

                          Download Submit

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
                          Filesize

                          412B

                          MD5

                          40adc89389ecbb2135acd21caeaaa1ca

                          SHA1

                          0f86fd9725250debf3017686a5196144d62c4180

                          SHA256

                          ed3f9ae5aabbf5ae7c90499e8a39d73d5d8df28456e666e5110514366d2eddb4

                          SHA512

                          e2edfc2aec40d29ca131fffe497dfa00b84e3fa65f9a80e4d61564380a340f1b6cedda6dbcf83b985e2f5ea1c723978897179178d152cbb1ef7f503c651fda1d

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\..exe
                          Filesize

                          47KB

                          MD5

                          0baac525ab667acc805e5fc39365677d

                          SHA1

                          bdbf2f2896c5f611bf05d511ae5df283fd4d5075

                          SHA256

                          dc80f45af1fbb5cdad109756841f7668bb5c7688c14434892f8d53c9c64729d5

                          SHA512

                          f37354cb81e09257926406b02d680387a004886a906b2e7319e6eec25e1e62cc1fd93cb6f27fe1781527613ac329fad25f1a38b9785c4dc685fa142cbeed5cf4

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\..exe
                          Filesize

                          47KB

                          MD5

                          0baac525ab667acc805e5fc39365677d

                          SHA1

                          bdbf2f2896c5f611bf05d511ae5df283fd4d5075

                          SHA256

                          dc80f45af1fbb5cdad109756841f7668bb5c7688c14434892f8d53c9c64729d5

                          SHA512

                          f37354cb81e09257926406b02d680387a004886a906b2e7319e6eec25e1e62cc1fd93cb6f27fe1781527613ac329fad25f1a38b9785c4dc685fa142cbeed5cf4

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\tmp7520.tmp.bat
                          Filesize

                          148B

                          MD5

                          047941e4e808e424278eecb166cf2577

                          SHA1

                          9e94ae09c15bbf498ed91233d0602f5a3d112692

                          SHA256

                          3f210371a72e9e08e9cb4b37af0c8c16105ba2e27c9ee7cb5343226b22d95260

                          SHA512

                          374946159b4399f11bfeedc76ed7d4d7e19936c54a8a9400ed3ef689074310ac6c27444900b94c4d88b3c397b627dcfb461873762713ba645f61152281366a81

                          Download Submit

                        • memory/1832-1-0x00007FFFC2430000-0x00007FFFC2EF1000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/1832-2-0x0000000000A60000-0x0000000000A70000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/1832-7-0x00007FFFC2430000-0x00007FFFC2EF1000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/1832-0-0x0000000000250000-0x0000000000262000-memory.dmp

                          Filesize

                          72KB

                          Download

                        • memory/3100-13-0x000000001B530000-0x000000001B540000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/3100-18-0x000000001B530000-0x000000001B540000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/3100-17-0x00007FFFCD9E0000-0x00007FFFCD9F9000-memory.dmp

                          Filesize

                          100KB

                          Download

                        • memory/3100-98-0x00007FFFC1BD0000-0x00007FFFC2691000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/3100-16-0x00007FFFC1BD0000-0x00007FFFC2691000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/3100-12-0x00007FFFC1BD0000-0x00007FFFC2691000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/3100-90-0x000000001B340000-0x000000001B35E000-memory.dmp

                          Filesize

                          120KB

                          Download

                        • memory/3100-89-0x000000001B330000-0x000000001B33C000-memory.dmp

                          Filesize

                          48KB

                          Download

                        • memory/3100-88-0x000000001B380000-0x000000001B3F6000-memory.dmp

                          Filesize

                          472KB

                          Download

                        • memory/3920-57-0x000001DCB5EC0000-0x000001DCB5EC1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3920-71-0x000001DCB5A10000-0x000001DCB5A11000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3920-55-0x000001DCB5EC0000-0x000001DCB5EC1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3920-58-0x000001DCB5EC0000-0x000001DCB5EC1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3920-59-0x000001DCB5EC0000-0x000001DCB5EC1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3920-60-0x000001DCB5EC0000-0x000001DCB5EC1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3920-61-0x000001DCB5EC0000-0x000001DCB5EC1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3920-62-0x000001DCB5AE0000-0x000001DCB5AE1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3920-63-0x000001DCB5AD0000-0x000001DCB5AD1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3920-65-0x000001DCB5AE0000-0x000001DCB5AE1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3920-68-0x000001DCB5AD0000-0x000001DCB5AD1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3920-56-0x000001DCB5EC0000-0x000001DCB5EC1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3920-83-0x000001DCB5C10000-0x000001DCB5C11000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3920-85-0x000001DCB5C20000-0x000001DCB5C21000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3920-86-0x000001DCB5C20000-0x000001DCB5C21000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3920-87-0x000001DCB5D30000-0x000001DCB5D31000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3920-54-0x000001DCB5EC0000-0x000001DCB5EC1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3920-53-0x000001DCB5EC0000-0x000001DCB5EC1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3920-52-0x000001DCB5EC0000-0x000001DCB5EC1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3920-51-0x000001DCB5E90000-0x000001DCB5E91000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3920-35-0x000001DCAD8A0000-0x000001DCAD8B0000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/3920-19-0x000001DCAD7A0000-0x000001DCAD7B0000-memory.dmp

                          Filesize

                          64KB

                          Download