Analysis Overview
SHA256
08f8498aec75418bb4c12972a6547ee2c4762160e7bf36c558a91b7b9110ed3f
Threat Level: Known bad
The file 712940BAEF78C821E36B8701BF073C52.exe was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Downloads MZ/PE file
Suspicious use of SetThreadContext
Executes dropped EXE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-19 09:36
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-19 09:36
Reported
2024-04-19 09:38
Platform
win7-20231129-en
Max time kernel
118s
Max time network
143s
Command Line
Signatures
AsyncRat
Downloads MZ/PE file
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2372 set thread context of 2724 | N/A | C:\Users\Admin\AppData\Local\Temp\712940BAEF78C821E36B8701BF073C52.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SCHtAsKs.EXe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\712940BAEF78C821E36B8701BF073C52.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\712940BAEF78C821E36B8701BF073C52.exe
"C:\Users\Admin\AppData\Local\Temp\712940BAEF78C821E36B8701BF073C52.exe"
C:\Windows\SysWOW64\SCHtAsKs.EXe
"SCHtAsKs.EXe" /create /tn WindowsUpdates833481094 /tr "C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 09:37 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {559638E5-9D6D-478A-BDB8-A5FB20F6D7A4} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE
C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE
C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE
C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE
Network
| Country | Destination | Domain | Proto |
| US | 204.12.199.30:20991 | 204.12.199.30 | tcp |
| US | 204.12.199.30:20991 | 204.12.199.30 | tcp |
| US | 204.12.199.30:7707 | tcp | |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
Files
memory/2372-0-0x0000000001130000-0x000000000114A000-memory.dmp
memory/2372-1-0x0000000074150000-0x000000007483E000-memory.dmp
memory/2372-2-0x0000000004C20000-0x0000000004C60000-memory.dmp
memory/2372-4-0x0000000000350000-0x000000000035A000-memory.dmp
memory/2724-6-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2724-5-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2724-7-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2724-8-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2724-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2724-11-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2372-13-0x0000000074150000-0x000000007483E000-memory.dmp
memory/2724-14-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2724-16-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2724-17-0x0000000074150000-0x000000007483E000-memory.dmp
memory/2724-18-0x0000000004B60000-0x0000000004BA0000-memory.dmp
memory/2724-31-0x0000000074150000-0x000000007483E000-memory.dmp
memory/2724-32-0x0000000004B60000-0x0000000004BA0000-memory.dmp
C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE
| MD5 | 712940baef78c821e36b8701bf073c52 |
| SHA1 | d59896b87424fafc0d00ab5e5c2019bd941167ce |
| SHA256 | 08f8498aec75418bb4c12972a6547ee2c4762160e7bf36c558a91b7b9110ed3f |
| SHA512 | 68bc6df413e00e6420ee6db6e4d0497bab61908b96f48fdb6bf6aae9bed72de840d83dfc0017dd24995a05f29b415b82852f84e9b74de85d303b67cc396c7007 |
memory/2900-35-0x00000000002F0000-0x000000000030A000-memory.dmp
memory/2900-36-0x0000000074150000-0x000000007483E000-memory.dmp
memory/2900-37-0x0000000074150000-0x000000007483E000-memory.dmp
memory/1432-41-0x0000000074150000-0x000000007483E000-memory.dmp
memory/1432-40-0x0000000001220000-0x000000000123A000-memory.dmp
memory/1432-42-0x0000000074150000-0x000000007483E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-19 09:36
Reported
2024-04-19 09:38
Platform
win10v2004-20240412-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
AsyncRat
Downloads MZ/PE file
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4920 set thread context of 3748 | N/A | C:\Users\Admin\AppData\Local\Temp\712940BAEF78C821E36B8701BF073C52.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SCHtAsKs.EXe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\712940BAEF78C821E36B8701BF073C52.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\712940BAEF78C821E36B8701BF073C52.exe
"C:\Users\Admin\AppData\Local\Temp\712940BAEF78C821E36B8701BF073C52.exe"
C:\Windows\SysWOW64\SCHtAsKs.EXe
"SCHtAsKs.EXe" /create /tn WindowsUpdates1433410439 /tr "C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 09:37 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE
C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE
C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE
C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.33.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 204.12.199.30:20991 | 204.12.199.30 | tcp |
| US | 204.12.199.30:20991 | 204.12.199.30 | tcp |
| US | 8.8.8.8:53 | 30.199.12.204.in-addr.arpa | udp |
| US | 204.12.199.30:8808 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
Files
memory/4920-0-0x00000000009F0000-0x0000000000A0A000-memory.dmp
memory/4920-1-0x0000000074CC0000-0x0000000075470000-memory.dmp
memory/4920-2-0x00000000058F0000-0x0000000005E94000-memory.dmp
memory/4920-3-0x0000000005630000-0x0000000005640000-memory.dmp
memory/4920-5-0x0000000005620000-0x000000000562A000-memory.dmp
memory/4920-6-0x0000000006F30000-0x0000000006FCC000-memory.dmp
memory/3748-7-0x0000000000400000-0x0000000000412000-memory.dmp
memory/4920-9-0x0000000074CC0000-0x0000000075470000-memory.dmp
memory/3748-10-0x0000000074CC0000-0x0000000075470000-memory.dmp
memory/3748-11-0x0000000005880000-0x0000000005890000-memory.dmp
memory/3748-12-0x0000000005F10000-0x0000000005F76000-memory.dmp
memory/3748-13-0x0000000074CC0000-0x0000000075470000-memory.dmp
memory/3748-14-0x0000000005880000-0x0000000005890000-memory.dmp
C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE
| MD5 | 712940baef78c821e36b8701bf073c52 |
| SHA1 | d59896b87424fafc0d00ab5e5c2019bd941167ce |
| SHA256 | 08f8498aec75418bb4c12972a6547ee2c4762160e7bf36c558a91b7b9110ed3f |
| SHA512 | 68bc6df413e00e6420ee6db6e4d0497bab61908b96f48fdb6bf6aae9bed72de840d83dfc0017dd24995a05f29b415b82852f84e9b74de85d303b67cc396c7007 |
memory/4172-17-0x0000000074CC0000-0x0000000075470000-memory.dmp
memory/4172-18-0x00000000053D0000-0x0000000005462000-memory.dmp
memory/4172-20-0x0000000074CC0000-0x0000000075470000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Accounts_Ledger_Software.eXE.log
| MD5 | 3bbb825ef1319deb378787046587112b |
| SHA1 | 67da95f0031be525b4cf10645632ca34d66b913b |
| SHA256 | d9c6d00fad02f7a9ef0fcddc298ffd58b17020fb12b1336d5733237cbfadb1e0 |
| SHA512 | 7771ae543e188d544e1bb6c65e0453a6777c1c39790a355f4cce652a815bfaf94dd426de3db910a67bd06e463ac0143d9e2ca44d2b12af7f0d84c27b4a09cc54 |
memory/4676-23-0x0000000074CC0000-0x0000000075470000-memory.dmp
memory/4676-24-0x0000000074CC0000-0x0000000075470000-memory.dmp