Analysis Overview
SHA256
09b1cb8d457625091e02d13c9f6323309a5652ed4e8b33eaf9c994ca9c849805
Threat Level: Known bad
The file 297942cdaf9c3efc3968bab08b2a69ea.bin was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Async RAT payload
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-12 01:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-12 01:42
Reported
2024-03-12 01:45
Platform
win7-20240221-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\297942cdaf9c3efc3968bab08b2a69ea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\297942cdaf9c3efc3968bab08b2a69ea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\297942cdaf9c3efc3968bab08b2a69ea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\297942cdaf9c3efc3968bab08b2a69ea.exe
"C:\Users\Admin\AppData\Local\Temp\297942cdaf9c3efc3968bab08b2a69ea.exe"
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
"C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe" "SFXSOURCE:C:\Users\Admin\AppData\Local\Temp\297942cdaf9c3efc3968bab08b2a69ea.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\codbypass.exe
| MD5 | d49c5811f549dc2221c63fca40b8792b |
| SHA1 | c7ae5dcfe9502018db1f82822a62dc42569cc1e1 |
| SHA256 | 5fa6beb291c3de1089af04d5ddd0c6067b3e84edfa32e76dc1bc6b3a0f5b9272 |
| SHA512 | 98a781be0b963b2e5bc67c8ae44d0ce775d2973ce347f9bb24be0f1c25be62f615789b08e2157f9ff4bcf729553a63c9db0c98f27c1626a965129aa6321da700 |
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\I3G4883T852C.exe
| MD5 | ae19c3ed9388a7e9eafdbcc56c737866 |
| SHA1 | 1e321c053462406106f8876572f999fe7138ddd6 |
| SHA256 | 00f4db0afe68619ec8d1a8b7755066104242c2943c946d4ef047ae15239fc15c |
| SHA512 | ed858bc047275419f5361809fa251968b21f3126b056476c34e70aab709ddeb359c9f69227e635c18af0bba1848c0069c34c9cd7d89da595c09ca129197f0e12 |
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\icons8-call-of-duty-mobile-50.ico
| MD5 | 7c003e672901b1ea6893338a2a16f7f0 |
| SHA1 | 7f98e8c36c0dc8e4bc9d4ff66e3ac3c88bdf25db |
| SHA256 | 1f4da305805a9c6566b5ccead5a1f07b7acb0f04e0bd81def9babfc518c8e236 |
| SHA512 | 94df266b72f5651c6a3a025eae6965df92e52cd85ee52e543bd126ccbaebfc025c608dc589dae34c7d5a52d450beb7f92206f2e1d2e32088fbdf4690dd4fb3c7 |
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
| MD5 | a50edc0f5bf8d2034278940201ab2e06 |
| SHA1 | 258e58a92b8ba81922e2cf1acb085d6411a5baf8 |
| SHA256 | bf35303f2ff0ee6161c24ec2bccf595d465bb51510d2a2b14622c9a87a9bd8c4 |
| SHA512 | 9812bb1d473c094767bc1347b40c162f847c64e69fda6502d573c45567425989ff3f34e50b4c009626efdc7a43e6f284ede3282bdcfce8a2a70699b09fb9209e |
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
| MD5 | 5084da76102394b91cd562433f11d057 |
| SHA1 | c5811154e57b7c5d800904301cb6273ee685e27a |
| SHA256 | a8dea7360924edb97a4f5eb5cc22bf76712b8c3b553a9214c24253d0a4ee5c08 |
| SHA512 | 50ecf9446ec89089f305464afd8fc144eff52288397a98b33249ed5abadcb0bfa43b9c57052a9964405daae19df4843040a64b0a13d5834e0947d2f5c664a034 |
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
| MD5 | 8d7cb260a1706efa29b344b8c39e465e |
| SHA1 | 9d00edcf9810712606a76c231fa475c16cfe6998 |
| SHA256 | 369f05eaf2d0d9364da92a2947d640b061c7227e2fa824967ce202e12465ca35 |
| SHA512 | b9f5422e8cfc02ae099c727e6bd032e7b5ac61458e40f2c44c07e7768d098c1dbdcc2bde182260794f2699d5a510de657bceb3b6499d14dc169ff5487e2a17d5 |
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\lua5.1.dll
| MD5 | 05ceb6d2e88a896d6ada0ab3f0dc40aa |
| SHA1 | 2b62cc437f5b3268acb3f569b43fd6c0a08e4e47 |
| SHA256 | b574d89422afcaae5446d8fd88d3b7cb48d608cf5411db761916b35c9999b41a |
| SHA512 | fd9a03167c70ddd156d6942e503f7d9528e4748e9613cfba69181eb8b50fcaea9f6d3b9e1398da21d4e4c8bf47c99fe2becc88b98107a4fdcb80697510c1860f |
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\lua5.1.dll
| MD5 | f5c245a9c610699ab06a840fc28c7c79 |
| SHA1 | de6d6e497710438522170c143cbad6b8f85af54f |
| SHA256 | d6875eace16cff4c276d23bc93e05c616db4d8851ccf3a407aae584b513db489 |
| SHA512 | 5fada846b5258b8545b17a69cfb7184e363062f912113aab0affd30e2b06045789f9e3509292807298da1a6facfa9b824d1125df0fd41bb4190e9139f28f91fc |
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
| MD5 | 3c3943cc084ffabf6871d23151fde41b |
| SHA1 | 0703655865f836b519ae69471fb512414a792f43 |
| SHA256 | b7d6d853006c41c2b5b2ad9144ff7e85a682b664a4251472522d799aa8137289 |
| SHA512 | c29c8527b530dca5b03e74d1bcd64288e125b33d2df172a4dd76d867e6e7aaab0cf27c2100e5bbaf36896efe08a985e1611b6c8e74db8bb2c6ad18537d8e7aaf |
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd
| MD5 | 70603e1a1959caa82a5aa8c54b9fd49f |
| SHA1 | 0d2b6ee969335b95dc6d27fb1da755c68a66f4c6 |
| SHA256 | f667296a5b8ebd562b9d13e8a13c4c72db5a09912866549e5ca420569ec98b48 |
| SHA512 | 7c749ab66f26e5e1aabee0189ae72ecb84c5f4aefc9290b30598e896a7ed085021711f0ef280d30447d673b72fb19abf6d54c636950b0d6d3564bce9e031a6e9 |
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\Untitled-1.jpg
| MD5 | e544015298dada6854449107659f3205 |
| SHA1 | 2edcc27354c69d90ad5c9e474a36fb14907523b6 |
| SHA256 | 2261a538c76de796fbb3bf781bcbb283af056c12e3fd20d1007dac3bed1909bc |
| SHA512 | d083debd9dcbac4c6289f88a7ea24b7f81c33694168e1f03219bf599806514159ba485881699ac3dde3fbd15b65a158c9a09dbdcd09ec62b04c72708553d0449 |
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\1041_0038.btn
| MD5 | 5d2a07317aa10727b8cadf5a04e5ef9e |
| SHA1 | 18665d2e0adad26b7e186a34b5ab1390b0864cd0 |
| SHA256 | ad93742965a9e55ccfb0c77f8dca08e9b3ce3fc9a11e71d8c78793bf70f7cec8 |
| SHA512 | bf363a7e2bcd8e2a4d266cdb6e637c47da6da4a245d328572cc2da66fce3a77d601f6473ccdb3ed4a91f8f455ec25c2cfaaae274b2d2a0013ab943c4e927813a |
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\1041_0039.btn
| MD5 | bb22e9223820ce8afe05ac0ae8dcd938 |
| SHA1 | 18f534564a3780079ba56430d399c85988fd83d0 |
| SHA256 | 6724c4e1d8436a220ceca390ff9823006f085482f0bb32ac5c3cf357d1d1dd40 |
| SHA512 | 8d6c4b075d5e80b67cb558cc87825a261122dbeb12e435d28f6c1c414d9640fe1be3d9188aeb4fa5d3a6c802df8f21299f7e4286a1e80bb4fac3bc58a4851899 |
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\1041_0001.btn
| MD5 | ed10b465f6aa073919eca99074901ca9 |
| SHA1 | 2ec3050dbf675b744d4775d84d8faed91a791236 |
| SHA256 | 96b0dac105840fe31e8652a9b5acf4161e81938192ba825c9878a2bccd61ed1b |
| SHA512 | 8c69a2a9ee3cc7f6affbeb87c6252fd10fe5576c863fe615cbd105d2ee3d505692a45f02a2d98cfd0392e0fb9fe3bb42dfb2b5a571bb0d4e25a16eccbe43ddb3 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-12 01:42
Reported
2024-03-12 01:45
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
138s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\297942cdaf9c3efc3968bab08b2a69ea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\297942cdaf9c3efc3968bab08b2a69ea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4276 wrote to memory of 1436 | N/A | C:\Users\Admin\AppData\Local\Temp\297942cdaf9c3efc3968bab08b2a69ea.exe | C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe |
| PID 4276 wrote to memory of 1436 | N/A | C:\Users\Admin\AppData\Local\Temp\297942cdaf9c3efc3968bab08b2a69ea.exe | C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe |
| PID 4276 wrote to memory of 1436 | N/A | C:\Users\Admin\AppData\Local\Temp\297942cdaf9c3efc3968bab08b2a69ea.exe | C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\297942cdaf9c3efc3968bab08b2a69ea.exe
"C:\Users\Admin\AppData\Local\Temp\297942cdaf9c3efc3968bab08b2a69ea.exe"
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
"C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe" "SFXSOURCE:C:\Users\Admin\AppData\Local\Temp\297942cdaf9c3efc3968bab08b2a69ea.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x538 0x534
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\codbypass.exe
| MD5 | d49c5811f549dc2221c63fca40b8792b |
| SHA1 | c7ae5dcfe9502018db1f82822a62dc42569cc1e1 |
| SHA256 | 5fa6beb291c3de1089af04d5ddd0c6067b3e84edfa32e76dc1bc6b3a0f5b9272 |
| SHA512 | 98a781be0b963b2e5bc67c8ae44d0ce775d2973ce347f9bb24be0f1c25be62f615789b08e2157f9ff4bcf729553a63c9db0c98f27c1626a965129aa6321da700 |
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\I3G4883T852C.exe
| MD5 | fcd5d57a9cc86b0ee04b8f06fa60375c |
| SHA1 | 4354dc41a1b70b0e6d38db8d27ef49d17bcdd1ff |
| SHA256 | eadffcad2eb80be0f54c1b2e7b7031661a176a18bbd35c415ff6731f67d38a8e |
| SHA512 | acc0496bf3f445434c63232fe9c792372c2a1fa190f4defa3fd63151d5745f2e749366f8a57a5cbbaa9b4493b4eda1b1557904bcd9d9fc2cf6d956777ed39ac2 |
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\icons8-call-of-duty-mobile-50.ico
| MD5 | 7c003e672901b1ea6893338a2a16f7f0 |
| SHA1 | 7f98e8c36c0dc8e4bc9d4ff66e3ac3c88bdf25db |
| SHA256 | 1f4da305805a9c6566b5ccead5a1f07b7acb0f04e0bd81def9babfc518c8e236 |
| SHA512 | 94df266b72f5651c6a3a025eae6965df92e52cd85ee52e543bd126ccbaebfc025c608dc589dae34c7d5a52d450beb7f92206f2e1d2e32088fbdf4690dd4fb3c7 |
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
| MD5 | 5506831a5fb820b09bb5ec571974183e |
| SHA1 | 2ba8ff3a4030e24cf11c10ba97daa356a2dd6720 |
| SHA256 | 9d41fc4e3537ebcf840e949a98241504969a6a85136c1e3e5130653801712fa5 |
| SHA512 | 1e52f21c346779075787961d6fe11af38c0a096d9fecc2cf5cf14cbf023aa4f73ba2276288a3b7f12582b573fa37d25d4e1913a821690d45817bacad0436fd4b |
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
| MD5 | aaa7fa3e98c413f54646c8eef4f59a38 |
| SHA1 | 09b77155cf858c9d5234a22fd36f769634a29e90 |
| SHA256 | fd1a072d77ce73ddf5ad3cacf53d80e500dfdfd97ad6649cb2f9d9a8d67a7ce0 |
| SHA512 | 1ca640461ddba1eeb8a33fc9101cb2c0b06a8e7a9eb05c063c6d1872011f692189f7039644f59bc2be56e08f9836c359a3455d0024d661a959bdd81574c91fd8 |
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\lua5.1.dll
| MD5 | 05ceb6d2e88a896d6ada0ab3f0dc40aa |
| SHA1 | 2b62cc437f5b3268acb3f569b43fd6c0a08e4e47 |
| SHA256 | b574d89422afcaae5446d8fd88d3b7cb48d608cf5411db761916b35c9999b41a |
| SHA512 | fd9a03167c70ddd156d6942e503f7d9528e4748e9613cfba69181eb8b50fcaea9f6d3b9e1398da21d4e4c8bf47c99fe2becc88b98107a4fdcb80697510c1860f |
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd
| MD5 | d6f01bc8b4f1a6e8d1967017332c4b5a |
| SHA1 | 4b2b1fcafb7e2de35899825967eac7d9410261eb |
| SHA256 | ff51927c2c925ffada2cbaf0da2898368ebcd6d6798d46a91d5cad544130f6a5 |
| SHA512 | 63107812103edc6c580b76344fe0a6cce8321e77caf26218384ea9a7ff1b56f0f076600a602cc73f773051b199eaedc638b24dd3ef3088e7c70c78a78ebcc6b2 |
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\Untitled-1.jpg
| MD5 | e544015298dada6854449107659f3205 |
| SHA1 | 2edcc27354c69d90ad5c9e474a36fb14907523b6 |
| SHA256 | 2261a538c76de796fbb3bf781bcbb283af056c12e3fd20d1007dac3bed1909bc |
| SHA512 | d083debd9dcbac4c6289f88a7ea24b7f81c33694168e1f03219bf599806514159ba485881699ac3dde3fbd15b65a158c9a09dbdcd09ec62b04c72708553d0449 |
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\1041_0038.btn
| MD5 | 5d2a07317aa10727b8cadf5a04e5ef9e |
| SHA1 | 18665d2e0adad26b7e186a34b5ab1390b0864cd0 |
| SHA256 | ad93742965a9e55ccfb0c77f8dca08e9b3ce3fc9a11e71d8c78793bf70f7cec8 |
| SHA512 | bf363a7e2bcd8e2a4d266cdb6e637c47da6da4a245d328572cc2da66fce3a77d601f6473ccdb3ed4a91f8f455ec25c2cfaaae274b2d2a0013ab943c4e927813a |
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\1041_0001.btn
| MD5 | ed10b465f6aa073919eca99074901ca9 |
| SHA1 | 2ec3050dbf675b744d4775d84d8faed91a791236 |
| SHA256 | 96b0dac105840fe31e8652a9b5acf4161e81938192ba825c9878a2bccd61ed1b |
| SHA512 | 8c69a2a9ee3cc7f6affbeb87c6252fd10fe5576c863fe615cbd105d2ee3d505692a45f02a2d98cfd0392e0fb9fe3bb42dfb2b5a571bb0d4e25a16eccbe43ddb3 |
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\1041_0039.btn
| MD5 | bb22e9223820ce8afe05ac0ae8dcd938 |
| SHA1 | 18f534564a3780079ba56430d399c85988fd83d0 |
| SHA256 | 6724c4e1d8436a220ceca390ff9823006f085482f0bb32ac5c3cf357d1d1dd40 |
| SHA512 | 8d6c4b075d5e80b67cb558cc87825a261122dbeb12e435d28f6c1c414d9640fe1be3d9188aeb4fa5d3a6c802df8f21299f7e4286a1e80bb4fac3bc58a4851899 |