Analysis Overview
SHA256
a2163c100214cbfb13acab8601629a0cc0a6a65fe2454962f1d0d4e66a6bd713
Threat Level: Known bad
The file a2163c100214cbfb13acab8601629a0cc0a6a65fe2454962f1d0d4e66a6bd713 was found to be: Known bad.
Malicious Activity Summary
Asyncrat family
AsyncRat
Async RAT payload
Async RAT payload
Checks computer location settings
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Unsigned PE
Uses Task Scheduler COM API
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-19 17:40
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-19 17:40
Reported
2024-04-19 17:43
Platform
win7-20240221-en
Max time kernel
150s
Max time network
158s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WindowsDefender.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\WindowsDefender.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe
"C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsDefender" /tr '"C:\Users\Admin\AppData\Roaming\WindowsDefender.exe"' & exit
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA257.tmp.bat""
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "WindowsDefender" /tr '"C:\Users\Admin\AppData\Roaming\WindowsDefender.exe"'
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\WindowsDefender.exe
"C:\Users\Admin\AppData\Roaming\WindowsDefender.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 52.28.247.255:16234 | 6.tcp.eu.ngrok.io | tcp |
| N/A | 127.0.0.1:8848 | tcp | |
| DE | 52.28.247.255:16234 | 6.tcp.eu.ngrok.io | tcp |
| DE | 52.28.247.255:16234 | 6.tcp.eu.ngrok.io | tcp |
| DE | 52.28.247.255:16234 | 6.tcp.eu.ngrok.io | tcp |
| DE | 52.28.247.255:16234 | 6.tcp.eu.ngrok.io | tcp |
| N/A | 127.0.0.1:8848 | tcp | |
| DE | 52.28.247.255:16234 | 6.tcp.eu.ngrok.io | tcp |
| N/A | 127.0.0.1:8848 | tcp | |
| DE | 52.28.247.255:16234 | 6.tcp.eu.ngrok.io | tcp |
| N/A | 127.0.0.1:8848 | tcp | |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 52.28.247.255:16234 | 6.tcp.eu.ngrok.io | tcp |
| N/A | 127.0.0.1:8848 | tcp | |
| DE | 52.28.247.255:16234 | 6.tcp.eu.ngrok.io | tcp |
| N/A | 127.0.0.1:8848 | tcp | |
| DE | 52.28.247.255:16234 | 6.tcp.eu.ngrok.io | tcp |
| N/A | 127.0.0.1:8848 | tcp | |
| DE | 52.28.247.255:16234 | 6.tcp.eu.ngrok.io | tcp |
| N/A | 127.0.0.1:8848 | tcp | |
| N/A | 127.0.0.1:8848 | tcp | |
| N/A | 127.0.0.1:8848 | tcp | |
| N/A | 127.0.0.1:8848 | tcp | |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 18.197.239.109:16234 | 6.tcp.eu.ngrok.io | tcp |
| DE | 18.197.239.109:16234 | 6.tcp.eu.ngrok.io | tcp |
Files
memory/2344-0-0x0000000000D30000-0x0000000000D42000-memory.dmp
memory/2344-1-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp
memory/2344-2-0x000000001AF30000-0x000000001AFB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpA257.tmp.bat
| MD5 | 659adeabd04a160da068a6ccc2fa9f29 |
| SHA1 | 5a5a004aef7e94e5dcffe212c9e5aa04e48d43b1 |
| SHA256 | 6b6e609e70ae90f6be40f25298064d2ad8f30cd9d9ea72c76071f09b029f3834 |
| SHA512 | 6531a359567917208c2eeb1db4a017603dfc0f154f3b936ef4b2b88a29053f6657c4d58c47399944371448ff05c2fdd6c6b6cde5223eb7cc1144a6b99d481dd7 |
memory/2344-12-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp
C:\Users\Admin\AppData\Roaming\WindowsDefender.exe
| MD5 | 304d41baaa716a6d582877785f93ef68 |
| SHA1 | a2b16217d6326c54fbd7ca5586519d50ce3e20ca |
| SHA256 | 760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea |
| SHA512 | 2a1f1859bf1ee1ff3be5469d44daf96ba8e6f26e377a6e538e64be815d4e7eb87911b0cbd2cddd3135c2f0e6933151fc47f8aeefa22e7becfa1babb8d38f3a41 |
memory/2512-16-0x00000000008C0000-0x00000000008D2000-memory.dmp
memory/2512-17-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp
memory/2512-18-0x000000001AF20000-0x000000001AFA0000-memory.dmp
memory/2512-19-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp
memory/2512-20-0x000000001AF20000-0x000000001AFA0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-19 17:40
Reported
2024-04-19 17:43
Platform
win10v2004-20240412-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WindowsDefender.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\WindowsDefender.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe
"C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsDefender" /tr '"C:\Users\Admin\AppData\Roaming\WindowsDefender.exe"' & exit
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp43CA.tmp.bat""
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "WindowsDefender" /tr '"C:\Users\Admin\AppData\Roaming\WindowsDefender.exe"'
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\WindowsDefender.exe
"C:\Users\Admin\AppData\Roaming\WindowsDefender.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 3.66.38.117:16234 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 249.138.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.33.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| DE | 3.66.38.117:16234 | 6.tcp.eu.ngrok.io | tcp |
| N/A | 127.0.0.1:8848 | tcp | |
| US | 8.8.8.8:53 | 73.239.69.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 18.197.239.109:16234 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| DE | 18.197.239.109:16234 | 6.tcp.eu.ngrok.io | tcp |
| DE | 18.197.239.109:16234 | 6.tcp.eu.ngrok.io | tcp |
| N/A | 127.0.0.1:8848 | tcp | |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 52.28.247.255:16234 | 6.tcp.eu.ngrok.io | tcp |
| DE | 52.28.247.255:16234 | 6.tcp.eu.ngrok.io | tcp |
| DE | 52.28.247.255:16234 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:8848 | tcp | |
| DE | 52.28.247.255:16234 | 6.tcp.eu.ngrok.io | tcp |
| DE | 52.28.247.255:16234 | 6.tcp.eu.ngrok.io | tcp |
| N/A | 127.0.0.1:8848 | tcp | |
| N/A | 127.0.0.1:8848 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 52.28.247.255:16234 | 6.tcp.eu.ngrok.io | tcp |
| N/A | 127.0.0.1:8848 | tcp | |
| DE | 52.28.247.255:16234 | 6.tcp.eu.ngrok.io | tcp |
| DE | 52.28.247.255:16234 | 6.tcp.eu.ngrok.io | tcp |
| DE | 52.28.247.255:16234 | 6.tcp.eu.ngrok.io | tcp |
Files
memory/1536-0-0x00000000007D0000-0x00000000007E2000-memory.dmp
memory/1536-1-0x00007FFC5FB90000-0x00007FFC60651000-memory.dmp
memory/1536-2-0x0000000002880000-0x0000000002890000-memory.dmp
memory/1536-7-0x00007FFC5FB90000-0x00007FFC60651000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp43CA.tmp.bat
| MD5 | f1908c5e9b6ed73565e73d7f9bd3558f |
| SHA1 | 09d270c90e7b33647e2547ac719382c1dc5d12a5 |
| SHA256 | 2c6afd539b177a42e82b4fe9006a6fdd6593a0e933c749c20516baa908ea6aec |
| SHA512 | cbba7759c0f4dd5bde4ac3f6c9d6d3f9f5d9f8d2123acf95f878d4dc310c239c1a576f8ef2d8ce0ce768c87ccecf56332d6765b4d02eb530c9edafdaa9f047c0 |
C:\Users\Admin\AppData\Roaming\WindowsDefender.exe
| MD5 | 304d41baaa716a6d582877785f93ef68 |
| SHA1 | a2b16217d6326c54fbd7ca5586519d50ce3e20ca |
| SHA256 | 760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea |
| SHA512 | 2a1f1859bf1ee1ff3be5469d44daf96ba8e6f26e377a6e538e64be815d4e7eb87911b0cbd2cddd3135c2f0e6933151fc47f8aeefa22e7becfa1babb8d38f3a41 |
memory/540-12-0x00007FFC5FB90000-0x00007FFC60651000-memory.dmp
memory/540-13-0x000000001B580000-0x000000001B590000-memory.dmp
memory/540-14-0x00007FFC5FB90000-0x00007FFC60651000-memory.dmp
memory/540-15-0x000000001B580000-0x000000001B590000-memory.dmp