Analysis Overview
SHA256
40103845914595c6530057b509cecacb96e8666e722f244e82270e3996572317
Threat Level: Known bad
The file mumayangben.zip was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Async RAT payload
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-02-26 13:00
Signatures
Analysis: behavioral4
Detonation Overview
Submitted
2024-02-26 13:00
Reported
2024-02-26 13:03
Platform
win11-20240221-en
Max time kernel
142s
Max time network
153s
Command Line
Signatures
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1032 wrote to memory of 8 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1032 wrote to memory of 8 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1032 wrote to memory of 8 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\K7AVWScn.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\K7AVWScn.dll,#1
Network
Files
memory/8-0-0x0000000073A70000-0x00000000753E1000-memory.dmp
memory/8-1-0x0000000002BA0000-0x0000000002BA1000-memory.dmp
memory/8-2-0x0000000002BB0000-0x0000000002BB1000-memory.dmp
memory/8-3-0x0000000002BC0000-0x0000000002BC1000-memory.dmp
memory/8-4-0x0000000002D10000-0x0000000002D11000-memory.dmp
memory/8-5-0x0000000002D20000-0x0000000002D21000-memory.dmp
memory/8-6-0x0000000002D30000-0x0000000002D31000-memory.dmp
memory/8-7-0x0000000002D40000-0x0000000002D41000-memory.dmp
memory/8-8-0x0000000002D50000-0x0000000002D51000-memory.dmp
memory/8-9-0x0000000073A70000-0x00000000753E1000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-02-26 13:00
Reported
2024-02-26 13:03
Platform
win10-20240221-en
Max time kernel
137s
Max time network
160s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\K7AVWScn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\K7AVWScn.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\K7AVWScn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\K7AVWScn.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\K7AVWScn.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\K7AVWScn.exe
"C:\Users\Admin\AppData\Local\Temp\K7AVWScn.exe"
Network
| Country | Destination | Domain | Proto |
| SG | 128.199.66.119:56789 | tcp | |
| US | 8.8.8.8:53 | 119.66.199.128.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 151.191.110.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.150.79.40.in-addr.arpa | udp |
Files
memory/4616-0-0x0000000072070000-0x00000000739E1000-memory.dmp
memory/4616-1-0x0000000000C80000-0x0000000000C81000-memory.dmp
memory/4616-2-0x0000000000DA0000-0x0000000000DA1000-memory.dmp
memory/4616-3-0x0000000000DB0000-0x0000000000DB1000-memory.dmp
memory/4616-4-0x0000000000EE0000-0x0000000000EE1000-memory.dmp
memory/4616-6-0x0000000000F00000-0x0000000000F01000-memory.dmp
memory/4616-5-0x0000000000EF0000-0x0000000000EF1000-memory.dmp
memory/4616-7-0x0000000000F10000-0x0000000000F11000-memory.dmp
memory/4616-8-0x0000000000F20000-0x0000000000F21000-memory.dmp
memory/4616-9-0x0000000072070000-0x00000000739E1000-memory.dmp
memory/4616-13-0x0000000000F60000-0x0000000000F79000-memory.dmp
memory/4616-14-0x0000000071120000-0x000000007180E000-memory.dmp
memory/4616-15-0x0000000005940000-0x0000000005950000-memory.dmp
memory/4616-16-0x00000000032B0000-0x00000000032C6000-memory.dmp
memory/4616-17-0x0000000005940000-0x0000000005950000-memory.dmp
memory/4616-18-0x0000000005940000-0x0000000005950000-memory.dmp
memory/4616-19-0x000000007702F000-0x0000000077030000-memory.dmp
memory/4616-20-0x0000000006520000-0x0000000006A1E000-memory.dmp
memory/4616-21-0x00000000060E0000-0x0000000006146000-memory.dmp
memory/4616-22-0x0000000072070000-0x00000000739E1000-memory.dmp
memory/4616-23-0x0000000071120000-0x000000007180E000-memory.dmp
memory/4616-24-0x0000000005940000-0x0000000005950000-memory.dmp
memory/4616-25-0x0000000005940000-0x0000000005950000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-02-26 13:00
Reported
2024-02-26 13:03
Platform
win10v2004-20240221-en
Max time kernel
146s
Max time network
155s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\K7AVWScn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\K7AVWScn.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\K7AVWScn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\K7AVWScn.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\K7AVWScn.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\K7AVWScn.exe
"C:\Users\Admin\AppData\Local\Temp\K7AVWScn.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| SG | 128.199.66.119:56789 | tcp | |
| US | 8.8.8.8:53 | 119.66.199.128.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
Files
memory/4136-0-0x0000000073790000-0x0000000075101000-memory.dmp
memory/4136-1-0x0000000000A20000-0x0000000000A21000-memory.dmp
memory/4136-2-0x00000000025D0000-0x00000000025D1000-memory.dmp
memory/4136-3-0x00000000025E0000-0x00000000025E1000-memory.dmp
memory/4136-4-0x0000000002610000-0x0000000002611000-memory.dmp
memory/4136-6-0x0000000002630000-0x0000000002631000-memory.dmp
memory/4136-5-0x0000000002620000-0x0000000002621000-memory.dmp
memory/4136-7-0x0000000002640000-0x0000000002641000-memory.dmp
memory/4136-8-0x0000000002650000-0x0000000002651000-memory.dmp
memory/4136-10-0x0000000073790000-0x0000000075101000-memory.dmp
memory/4136-13-0x00000000029F0000-0x0000000002A09000-memory.dmp
memory/4136-14-0x00000000725C0000-0x0000000072D70000-memory.dmp
memory/4136-15-0x0000000005220000-0x0000000005236000-memory.dmp
memory/4136-16-0x0000000005270000-0x0000000005280000-memory.dmp
memory/4136-17-0x0000000005270000-0x0000000005280000-memory.dmp
memory/4136-18-0x0000000005270000-0x0000000005280000-memory.dmp
memory/4136-19-0x0000000005270000-0x0000000005280000-memory.dmp
memory/4136-20-0x0000000077351000-0x0000000077352000-memory.dmp
memory/4136-21-0x0000000006040000-0x00000000065E4000-memory.dmp
memory/4136-22-0x0000000005B60000-0x0000000005BC6000-memory.dmp
memory/4136-23-0x0000000073790000-0x0000000075101000-memory.dmp
memory/4136-24-0x0000000073790000-0x0000000075101000-memory.dmp
memory/4136-25-0x00000000725C0000-0x0000000072D70000-memory.dmp
memory/4136-26-0x0000000005270000-0x0000000005280000-memory.dmp
memory/4136-27-0x0000000005270000-0x0000000005280000-memory.dmp
memory/4136-28-0x0000000005270000-0x0000000005280000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-26 13:00
Reported
2024-02-26 13:03
Platform
win7-20240221-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2020 wrote to memory of 1816 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2020 wrote to memory of 1816 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2020 wrote to memory of 1816 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2020 wrote to memory of 1816 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2020 wrote to memory of 1816 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2020 wrote to memory of 1816 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2020 wrote to memory of 1816 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\K7AVWScn.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\K7AVWScn.dll,#1
Network
Files
memory/1816-0-0x00000000703C0000-0x0000000071D31000-memory.dmp
memory/1816-1-0x0000000000180000-0x0000000000181000-memory.dmp
memory/1816-3-0x0000000000180000-0x0000000000181000-memory.dmp
memory/1816-5-0x0000000000180000-0x0000000000181000-memory.dmp
memory/1816-6-0x0000000000190000-0x0000000000191000-memory.dmp
memory/1816-9-0x0000000000190000-0x0000000000191000-memory.dmp
memory/1816-12-0x0000000000190000-0x0000000000191000-memory.dmp
memory/1816-8-0x00000000703C0000-0x0000000071D31000-memory.dmp
memory/1816-11-0x0000000077220000-0x0000000077221000-memory.dmp
memory/1816-13-0x00000000001A0000-0x00000000001A1000-memory.dmp
memory/1816-15-0x00000000001A0000-0x00000000001A1000-memory.dmp
memory/1816-17-0x00000000001A0000-0x00000000001A1000-memory.dmp
memory/1816-20-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/1816-18-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/1816-22-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/1816-24-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/1816-25-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/1816-28-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/1816-30-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/1816-33-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/1816-35-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/1816-38-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/1816-40-0x00000000001F0000-0x00000000001F1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-26 13:00
Reported
2024-02-26 13:03
Platform
win10-20240221-en
Max time kernel
134s
Max time network
136s
Command Line
Signatures
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4432 wrote to memory of 524 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4432 wrote to memory of 524 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4432 wrote to memory of 524 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\K7AVWScn.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\K7AVWScn.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.167.79.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
Files
memory/524-0-0x00000000725F0000-0x0000000073F61000-memory.dmp
memory/524-1-0x00000000008B0000-0x00000000008B1000-memory.dmp
memory/524-3-0x0000000000C30000-0x0000000000C31000-memory.dmp
memory/524-2-0x00000000008C0000-0x00000000008C1000-memory.dmp
memory/524-5-0x0000000000C70000-0x0000000000C71000-memory.dmp
memory/524-4-0x0000000000C60000-0x0000000000C61000-memory.dmp
memory/524-7-0x00000000725F0000-0x0000000073F61000-memory.dmp
memory/524-8-0x0000000000CA0000-0x0000000000CA1000-memory.dmp
memory/524-9-0x0000000000CB0000-0x0000000000CB1000-memory.dmp
memory/524-6-0x0000000000C90000-0x0000000000C91000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-02-26 13:00
Reported
2024-02-26 13:03
Platform
win10v2004-20240221-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2972 wrote to memory of 4776 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2972 wrote to memory of 4776 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2972 wrote to memory of 4776 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\K7AVWScn.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\K7AVWScn.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
memory/4776-0-0x00000000733F0000-0x0000000074D61000-memory.dmp
memory/4776-1-0x00000000011D0000-0x00000000011D1000-memory.dmp
memory/4776-2-0x00000000011E0000-0x00000000011E1000-memory.dmp
memory/4776-4-0x0000000001220000-0x0000000001221000-memory.dmp
memory/4776-3-0x00000000011F0000-0x00000000011F1000-memory.dmp
memory/4776-5-0x0000000001230000-0x0000000001231000-memory.dmp
memory/4776-7-0x0000000001240000-0x0000000001241000-memory.dmp
memory/4776-6-0x00000000733F0000-0x0000000074D61000-memory.dmp
memory/4776-8-0x0000000001250000-0x0000000001251000-memory.dmp
memory/4776-9-0x0000000001260000-0x0000000001261000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-02-26 13:00
Reported
2024-02-26 13:03
Platform
win7-20240221-en
Max time kernel
118s
Max time network
152s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\K7AVWScn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\K7AVWScn.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\K7AVWScn.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\K7AVWScn.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\K7AVWScn.exe
"C:\Users\Admin\AppData\Local\Temp\K7AVWScn.exe"
Network
| Country | Destination | Domain | Proto |
| SG | 128.199.66.119:56789 | tcp |
Files
memory/2856-0-0x0000000072630000-0x0000000073FA1000-memory.dmp
memory/2856-1-0x0000000000160000-0x0000000000161000-memory.dmp
memory/2856-3-0x0000000000160000-0x0000000000161000-memory.dmp
memory/2856-6-0x0000000072630000-0x0000000073FA1000-memory.dmp
memory/2856-8-0x0000000077BC0000-0x0000000077BC1000-memory.dmp
memory/2856-7-0x0000000000180000-0x0000000000181000-memory.dmp
memory/2856-5-0x0000000000160000-0x0000000000161000-memory.dmp
memory/2856-10-0x0000000000180000-0x0000000000181000-memory.dmp
memory/2856-12-0x0000000000180000-0x0000000000181000-memory.dmp
memory/2856-13-0x0000000000190000-0x0000000000191000-memory.dmp
memory/2856-15-0x0000000000190000-0x0000000000191000-memory.dmp
memory/2856-17-0x0000000000190000-0x0000000000191000-memory.dmp
memory/2856-18-0x00000000001A0000-0x00000000001A1000-memory.dmp
memory/2856-20-0x00000000001A0000-0x00000000001A1000-memory.dmp
memory/2856-22-0x00000000001A0000-0x00000000001A1000-memory.dmp
memory/2856-25-0x00000000002B0000-0x00000000002B1000-memory.dmp
memory/2856-27-0x00000000002B0000-0x00000000002B1000-memory.dmp
memory/2856-30-0x0000000000750000-0x0000000000751000-memory.dmp
memory/2856-40-0x0000000000770000-0x0000000000771000-memory.dmp
memory/2856-42-0x0000000000770000-0x0000000000771000-memory.dmp
memory/2856-37-0x0000000000760000-0x0000000000761000-memory.dmp
memory/2856-35-0x0000000000760000-0x0000000000761000-memory.dmp
memory/2856-32-0x0000000000750000-0x0000000000751000-memory.dmp
memory/2856-46-0x00000000007E0000-0x00000000007F9000-memory.dmp
memory/2856-47-0x0000000000B70000-0x0000000000B86000-memory.dmp
memory/2856-48-0x00000000747B0000-0x0000000074E9E000-memory.dmp
memory/2856-49-0x0000000005440000-0x0000000005480000-memory.dmp
memory/2856-50-0x0000000077C00000-0x0000000077C01000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab6E6E.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
memory/2856-67-0x0000000072630000-0x0000000073FA1000-memory.dmp
memory/2856-68-0x00000000747B0000-0x0000000074E9E000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-02-26 13:00
Reported
2024-02-26 13:03
Platform
win11-20240221-en
Max time kernel
148s
Max time network
157s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\K7AVWScn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\K7AVWScn.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\K7AVWScn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\K7AVWScn.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\K7AVWScn.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\K7AVWScn.exe
"C:\Users\Admin\AppData\Local\Temp\K7AVWScn.exe"
Network
| Country | Destination | Domain | Proto |
| SG | 128.199.66.119:56789 | tcp | |
| US | 8.8.8.8:53 | 119.66.199.128.in-addr.arpa | udp |
Files
memory/2244-0-0x0000000073520000-0x0000000074E91000-memory.dmp
memory/2244-1-0x0000000002FF0000-0x0000000002FF1000-memory.dmp
memory/2244-3-0x0000000003100000-0x0000000003101000-memory.dmp
memory/2244-2-0x0000000073520000-0x0000000074E91000-memory.dmp
memory/2244-4-0x0000000003110000-0x0000000003111000-memory.dmp
memory/2244-5-0x0000000003160000-0x0000000003161000-memory.dmp
memory/2244-6-0x0000000003180000-0x0000000003181000-memory.dmp
memory/2244-7-0x0000000003190000-0x0000000003191000-memory.dmp
memory/2244-8-0x00000000031A0000-0x00000000031A1000-memory.dmp
memory/2244-9-0x00000000031B0000-0x00000000031B1000-memory.dmp
memory/2244-10-0x0000000073520000-0x0000000074E91000-memory.dmp
memory/2244-13-0x0000000003650000-0x0000000003669000-memory.dmp
memory/2244-14-0x00000000722B0000-0x0000000072A61000-memory.dmp
memory/2244-15-0x0000000003B40000-0x0000000003B56000-memory.dmp
memory/2244-16-0x0000000003D40000-0x0000000003D50000-memory.dmp
memory/2244-17-0x0000000003D40000-0x0000000003D50000-memory.dmp
memory/2244-18-0x0000000077212000-0x0000000077213000-memory.dmp
memory/2244-19-0x0000000006DE0000-0x0000000007386000-memory.dmp
memory/2244-20-0x00000000068F0000-0x0000000006956000-memory.dmp
memory/2244-21-0x0000000073520000-0x0000000074E91000-memory.dmp
memory/2244-22-0x00000000722B0000-0x0000000072A61000-memory.dmp
memory/2244-23-0x0000000003D40000-0x0000000003D50000-memory.dmp
memory/2244-24-0x0000000003D40000-0x0000000003D50000-memory.dmp
memory/2244-25-0x0000000003D40000-0x0000000003D50000-memory.dmp
memory/2244-26-0x0000000003D40000-0x0000000003D50000-memory.dmp