Analysis Overview
SHA256
08f8498aec75418bb4c12972a6547ee2c4762160e7bf36c558a91b7b9110ed3f
Threat Level: Known bad
The file 712940BAEF78C821E36B8701BF073C52.exe was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Downloads MZ/PE file
Suspicious use of SetThreadContext
Executes dropped EXE
Program crash
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-19 09:35
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-19 09:35
Reported
2024-04-19 09:38
Platform
win7-20240221-en
Max time kernel
124s
Max time network
154s
Command Line
Signatures
AsyncRat
Downloads MZ/PE file
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 924 set thread context of 932 | N/A | C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\712940BAEF78C821E36B8701BF073C52.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SCHtAsKs.EXe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHtAsKs.EXe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHtAsKs.EXe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\712940BAEF78C821E36B8701BF073C52.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\712940BAEF78C821E36B8701BF073C52.exe
"C:\Users\Admin\AppData\Local\Temp\712940BAEF78C821E36B8701BF073C52.exe"
C:\Windows\SysWOW64\SCHtAsKs.EXe
"SCHtAsKs.EXe" /create /tn WindowsUpdates310628529 /tr "C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 09:36 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
C:\Windows\system32\taskeng.exe
taskeng.exe {B0C74251-6EF6-417A-8562-93E26C829358} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE
C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE
C:\Windows\SysWOW64\SCHtAsKs.EXe
"SCHtAsKs.EXe" /create /tn WindowsUpdates310628529 /tr "C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 09:37 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 1228
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE
C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE
C:\Windows\SysWOW64\SCHtAsKs.EXe
"SCHtAsKs.EXe" /create /tn WindowsUpdates310628529 /tr "C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 09:38 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE
C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE
Network
| Country | Destination | Domain | Proto |
| US | 204.12.199.30:20991 | 204.12.199.30 | tcp |
| US | 204.12.199.30:20991 | 204.12.199.30 | tcp |
| US | 204.12.199.30:20991 | 204.12.199.30 | tcp |
| US | 204.12.199.30:20991 | 204.12.199.30 | tcp |
| US | 204.12.199.30:20991 | 204.12.199.30 | tcp |
| US | 204.12.199.30:20991 | 204.12.199.30 | tcp |
| US | 204.12.199.30:8808 | tcp |
Files
memory/2216-0-0x0000000000C40000-0x0000000000C5A000-memory.dmp
memory/2216-1-0x0000000074330000-0x0000000074A1E000-memory.dmp
memory/2216-2-0x0000000002120000-0x0000000002160000-memory.dmp
C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE
| MD5 | 712940baef78c821e36b8701bf073c52 |
| SHA1 | d59896b87424fafc0d00ab5e5c2019bd941167ce |
| SHA256 | 08f8498aec75418bb4c12972a6547ee2c4762160e7bf36c558a91b7b9110ed3f |
| SHA512 | 68bc6df413e00e6420ee6db6e4d0497bab61908b96f48fdb6bf6aae9bed72de840d83dfc0017dd24995a05f29b415b82852f84e9b74de85d303b67cc396c7007 |
memory/2632-6-0x0000000000850000-0x000000000086A000-memory.dmp
memory/2632-7-0x0000000074330000-0x0000000074A1E000-memory.dmp
memory/2632-8-0x0000000004AF0000-0x0000000004B30000-memory.dmp
memory/2632-9-0x00000000003D0000-0x00000000003DA000-memory.dmp
memory/2632-10-0x0000000074330000-0x0000000074A1E000-memory.dmp
memory/2216-11-0x0000000074330000-0x0000000074A1E000-memory.dmp
memory/2216-12-0x0000000002120000-0x0000000002160000-memory.dmp
memory/924-14-0x0000000001190000-0x00000000011AA000-memory.dmp
memory/924-15-0x0000000074330000-0x0000000074A1E000-memory.dmp
memory/924-16-0x0000000000CA0000-0x0000000000CE0000-memory.dmp
memory/932-20-0x0000000000400000-0x0000000000412000-memory.dmp
memory/932-19-0x0000000000400000-0x0000000000412000-memory.dmp
memory/932-24-0x0000000000400000-0x0000000000412000-memory.dmp
memory/932-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/932-28-0x0000000000400000-0x0000000000412000-memory.dmp
memory/924-29-0x0000000074330000-0x0000000074A1E000-memory.dmp
memory/932-26-0x0000000000400000-0x0000000000412000-memory.dmp
memory/932-18-0x0000000000400000-0x0000000000412000-memory.dmp
memory/932-17-0x0000000000400000-0x0000000000412000-memory.dmp
memory/932-30-0x0000000074330000-0x0000000074A1E000-memory.dmp
memory/932-31-0x0000000004AB0000-0x0000000004AF0000-memory.dmp
memory/932-49-0x0000000074330000-0x0000000074A1E000-memory.dmp
memory/932-50-0x0000000004AB0000-0x0000000004AF0000-memory.dmp
memory/1792-52-0x0000000074330000-0x0000000074A1E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-19 09:35
Reported
2024-04-19 09:38
Platform
win10v2004-20240412-en
Max time kernel
117s
Max time network
155s
Command Line
Signatures
AsyncRat
Downloads MZ/PE file
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4392 set thread context of 4896 | N/A | C:\Users\Admin\AppData\Local\Temp\712940BAEF78C821E36B8701BF073C52.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SCHtAsKs.EXe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\712940BAEF78C821E36B8701BF073C52.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\712940BAEF78C821E36B8701BF073C52.exe
"C:\Users\Admin\AppData\Local\Temp\712940BAEF78C821E36B8701BF073C52.exe"
C:\Windows\SysWOW64\SCHtAsKs.EXe
"SCHtAsKs.EXe" /create /tn WindowsUpdates599044173 /tr "C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 09:37 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE
C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE
C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE
C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 204.12.199.30:20991 | 204.12.199.30 | tcp |
| US | 204.12.199.30:20991 | 204.12.199.30 | tcp |
| US | 8.8.8.8:53 | 30.199.12.204.in-addr.arpa | udp |
| US | 204.12.199.30:7707 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/4392-0-0x0000000000470000-0x000000000048A000-memory.dmp
memory/4392-1-0x00000000743D0000-0x0000000074B80000-memory.dmp
memory/4392-2-0x0000000005320000-0x00000000058C4000-memory.dmp
memory/4392-3-0x0000000004FD0000-0x0000000004FE0000-memory.dmp
memory/4392-5-0x00000000068E0000-0x00000000068EA000-memory.dmp
memory/4392-6-0x0000000006AD0000-0x0000000006B6C000-memory.dmp
memory/4896-7-0x0000000000400000-0x0000000000412000-memory.dmp
memory/4392-9-0x00000000743D0000-0x0000000074B80000-memory.dmp
memory/4896-10-0x00000000743D0000-0x0000000074B80000-memory.dmp
memory/4896-11-0x0000000005010000-0x0000000005020000-memory.dmp
memory/4896-12-0x00000000054A0000-0x0000000005506000-memory.dmp
memory/4896-13-0x00000000743D0000-0x0000000074B80000-memory.dmp
memory/4896-14-0x0000000005010000-0x0000000005020000-memory.dmp
C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE
| MD5 | 712940baef78c821e36b8701bf073c52 |
| SHA1 | d59896b87424fafc0d00ab5e5c2019bd941167ce |
| SHA256 | 08f8498aec75418bb4c12972a6547ee2c4762160e7bf36c558a91b7b9110ed3f |
| SHA512 | 68bc6df413e00e6420ee6db6e4d0497bab61908b96f48fdb6bf6aae9bed72de840d83dfc0017dd24995a05f29b415b82852f84e9b74de85d303b67cc396c7007 |
memory/2724-17-0x00000000743D0000-0x0000000074B80000-memory.dmp
memory/2724-18-0x0000000004E60000-0x0000000004EF2000-memory.dmp
memory/2724-20-0x00000000743D0000-0x0000000074B80000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Accounts_Ledger_Software.eXE.log
| MD5 | 3bbb825ef1319deb378787046587112b |
| SHA1 | 67da95f0031be525b4cf10645632ca34d66b913b |
| SHA256 | d9c6d00fad02f7a9ef0fcddc298ffd58b17020fb12b1336d5733237cbfadb1e0 |
| SHA512 | 7771ae543e188d544e1bb6c65e0453a6777c1c39790a355f4cce652a815bfaf94dd426de3db910a67bd06e463ac0143d9e2ca44d2b12af7f0d84c27b4a09cc54 |
memory/4320-23-0x00000000743D0000-0x0000000074B80000-memory.dmp
memory/4320-24-0x00000000743D0000-0x0000000074B80000-memory.dmp