Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/01/2024, 04:13

General

  • Target

    4a68fda291581b91ef1b75893087dd08.exe

  • Size

    512KB

  • MD5

    4a68fda291581b91ef1b75893087dd08

  • SHA1

    4a53775d7b229a6641a8787ad95e78bd120059f9

  • SHA256

    86519701b3ca3206d80200bd34376b6a8571cc630fdc6812d7ed0adee8679b45

  • SHA512

    e2d2fb24042bdc05b713899c4d7446a3083fba4406b460c81caba6cb4d293712b86c6703e84ba3ad1770dee5fe22993d410979ba78422f2de614819cded456d1

  • SSDEEP

    12288:Uhsl2HqZov6n4zexn8ILg6qDwoMwIgtoHZ:UhsYioWxndwwHZ

Score
10/10

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Async RAT payload 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe
    "C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4304
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /tn OneDriveStandaloneAPIMethod /tr "C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe" /st 04:19 /du 23:59 /sc daily /ri 1 /f
      2⤵
      • Creates scheduled task(s)
      PID:4456
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7947.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4708
      • C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1616
      • C:\Windows\SysWOW64\timeout.exe
        timeout 4
        3⤵
        • Delays execution with timeout.exe
        PID:3112

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmp7947.tmp.bat

          Filesize

          279B

          MD5

          5646ffca9010fadeea65508fc0557edd

          SHA1

          a4325bc8b7ca669d83a0173a750643125541d834

          SHA256

          68b44af97ee56aee4140dfdbbead2be90ac79578fe9d7576d5b4a0ca34143891

          SHA512

          30488a46bde56da0195de8b07d832d206ef6fd9b06565680a62ad723c87b43eb876888b73f59a16e3a8da688d11275ef9311ff7b40a67df13feb19f4a838d8b9

        • C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe

          Filesize

          1.1MB

          MD5

          5bad497a650b57df343a8cc83d8d57d7

          SHA1

          99771baf8d1fb0b0240e9ffcf12072c86e9ae8fd

          SHA256

          2b0d55b46ce45dc7dd72e4fd2b8b865631176287d61e4a2605dc639fd094e38d

          SHA512

          0e5cc01aa02c25beddd1e8539052bb23ea858654157a56c5edc6301be8b8569b0040e70d57e1a108ce3b85b2ef2d22691992a4198b9d884b30cf1aa17bf2d536

        • C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe

          Filesize

          1.3MB

          MD5

          cb01007b07d95b1afe254e4d3accea10

          SHA1

          d451fe4bb32783bbe3f0f3d265785e580fc76b98

          SHA256

          ee7934efa11464f331c0af599a0d758ca773432183c38cc0ac5a4b4a56c536ac

          SHA512

          935808305b980b4c41e3cdd51631cd1f44964dd3b0709716f956b75f39604193029bfc8443579eb426ba66c5f053e10b69d45f66e15ee69088431c6c535dd2f4

        • memory/1616-29-0x00000000053E0000-0x00000000053F0000-memory.dmp

          Filesize

          64KB

        • memory/1616-30-0x00000000053E0000-0x00000000053F0000-memory.dmp

          Filesize

          64KB

        • memory/1616-36-0x0000000006AA0000-0x0000000006BA0000-memory.dmp

          Filesize

          1024KB

        • memory/1616-35-0x0000000006AA0000-0x0000000006BA0000-memory.dmp

          Filesize

          1024KB

        • memory/1616-34-0x00000000053E0000-0x00000000053F0000-memory.dmp

          Filesize

          64KB

        • memory/1616-33-0x00000000053E0000-0x00000000053F0000-memory.dmp

          Filesize

          64KB

        • memory/1616-32-0x00000000053E0000-0x00000000053F0000-memory.dmp

          Filesize

          64KB

        • memory/1616-31-0x00000000053E0000-0x00000000053F0000-memory.dmp

          Filesize

          64KB

        • memory/1616-24-0x00000000053E0000-0x00000000053F0000-memory.dmp

          Filesize

          64KB

        • memory/1616-28-0x00000000053E0000-0x00000000053F0000-memory.dmp

          Filesize

          64KB

        • memory/1616-23-0x00000000053E0000-0x00000000053F0000-memory.dmp

          Filesize

          64KB

        • memory/1616-19-0x0000000074910000-0x00000000750C0000-memory.dmp

          Filesize

          7.7MB

        • memory/1616-21-0x00000000053E0000-0x00000000053F0000-memory.dmp

          Filesize

          64KB

        • memory/1616-20-0x00000000053E0000-0x00000000053F0000-memory.dmp

          Filesize

          64KB

        • memory/1616-26-0x00000000053E0000-0x00000000053F0000-memory.dmp

          Filesize

          64KB

        • memory/1616-27-0x0000000074910000-0x00000000750C0000-memory.dmp

          Filesize

          7.7MB

        • memory/1616-22-0x00000000060A0000-0x00000000060AA000-memory.dmp

          Filesize

          40KB

        • memory/1616-25-0x00000000053E0000-0x00000000053F0000-memory.dmp

          Filesize

          64KB

        • memory/4304-4-0x0000000005250000-0x0000000005260000-memory.dmp

          Filesize

          64KB

        • memory/4304-1-0x0000000000410000-0x0000000000496000-memory.dmp

          Filesize

          536KB

        • memory/4304-2-0x00000000054A0000-0x0000000005A44000-memory.dmp

          Filesize

          5.6MB

        • memory/4304-0-0x0000000074910000-0x00000000750C0000-memory.dmp

          Filesize

          7.7MB

        • memory/4304-15-0x0000000074910000-0x00000000750C0000-memory.dmp

          Filesize

          7.7MB

        • memory/4304-3-0x0000000004EF0000-0x0000000004F82000-memory.dmp

          Filesize

          584KB

        • memory/4304-9-0x0000000074910000-0x00000000750C0000-memory.dmp

          Filesize

          7.7MB

        • memory/4304-8-0x0000000005250000-0x0000000005260000-memory.dmp

          Filesize

          64KB

        • memory/4304-7-0x0000000005250000-0x0000000005260000-memory.dmp

          Filesize

          64KB

        • memory/4304-6-0x0000000005250000-0x0000000005260000-memory.dmp

          Filesize

          64KB

        • memory/4304-5-0x0000000005250000-0x0000000005260000-memory.dmp

          Filesize

          64KB