Analysis Overview
SHA256
0b345b247f56c4cdf9d25bd322370debe8203dd610378f9b9564bd1cd803f0b4
Threat Level: Known bad
The file 0b345b247f56c4cdf9d25bd322370debe8203dd610378f9b9564bd1cd803f0b4 was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Asyncrat family
Async RAT payload
Async RAT payload
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-19 18:18
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-19 18:18
Reported
2024-04-19 18:21
Platform
win7-20240221-en
Max time kernel
144s
Max time network
153s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aha.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\06417db53e9b090c7a07192dbb6203ce15c832c0928d73ebbc9c8ebff05320ff.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\06417db53e9b090c7a07192dbb6203ce15c832c0928d73ebbc9c8ebff05320ff.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\06417db53e9b090c7a07192dbb6203ce15c832c0928d73ebbc9c8ebff05320ff.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\aha.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\06417db53e9b090c7a07192dbb6203ce15c832c0928d73ebbc9c8ebff05320ff.exe
"C:\Users\Admin\AppData\Local\Temp\06417db53e9b090c7a07192dbb6203ce15c832c0928d73ebbc9c8ebff05320ff.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "aha" /tr '"C:\Users\Admin\AppData\Local\Temp\aha.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp91A5.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "aha" /tr '"C:\Users\Admin\AppData\Local\Temp\aha.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Local\Temp\aha.exe
"C:\Users\Admin\AppData\Local\Temp\aha.exe"
Network
| Country | Destination | Domain | Proto |
| SK | 193.32.232.64:7777 | tcp | |
| SK | 193.32.232.64:7777 | tcp | |
| SK | 193.32.232.64:7777 | tcp | |
| SK | 193.32.232.64:7777 | tcp | |
| SK | 193.32.232.64:7777 | tcp | |
| SK | 193.32.232.64:7777 | tcp |
Files
memory/2820-1-0x0000000074280000-0x000000007496E000-memory.dmp
memory/2820-0-0x0000000000FE0000-0x0000000000FF2000-memory.dmp
memory/2820-2-0x0000000004C70000-0x0000000004CB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp91A5.tmp.bat
| MD5 | 3b87370f1e8bc78a4a5a0008b7429e82 |
| SHA1 | 52efd2da3f8eaba209b1ae11c29550b703c43371 |
| SHA256 | b0d9b4a9ff836d03282962923e558c5e1fab4f206997fb7a91a86e87b279a9b5 |
| SHA512 | 81cff4d27f9541cc165e229a67251819fd6783f9bbe59a3df0c7c8e02315eef3fb7301738d5f6a728c445767917a656d30523b670ff424a94415981d8b3cf5bd |
memory/2820-11-0x0000000074280000-0x000000007496E000-memory.dmp
\Users\Admin\AppData\Local\Temp\aha.exe
| MD5 | aa16b5a6c856065b71f4e07cd37d9240 |
| SHA1 | 1e1984ffb7b94566f51afb242897ec963588ef42 |
| SHA256 | 06417db53e9b090c7a07192dbb6203ce15c832c0928d73ebbc9c8ebff05320ff |
| SHA512 | e1a7fdef0139a11b796fba41e4e5538d857cd8b9bd2556c8883abec9615fc967f033ecd7afa779c73e9b425462ff646c4a6e4c68b4db7d9b6760efc3397d87e1 |
memory/2456-16-0x00000000013B0000-0x00000000013C2000-memory.dmp
memory/2456-17-0x0000000074230000-0x000000007491E000-memory.dmp
memory/2456-18-0x0000000001320000-0x0000000001360000-memory.dmp
memory/2456-19-0x0000000074230000-0x000000007491E000-memory.dmp
memory/2456-20-0x0000000001320000-0x0000000001360000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-19 18:18
Reported
2024-04-19 18:22
Platform
win10v2004-20240226-en
Max time kernel
158s
Max time network
164s
Command Line
Signatures
AsyncRat
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\06417db53e9b090c7a07192dbb6203ce15c832c0928d73ebbc9c8ebff05320ff.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\06417db53e9b090c7a07192dbb6203ce15c832c0928d73ebbc9c8ebff05320ff.exe
"C:\Users\Admin\AppData\Local\Temp\06417db53e9b090c7a07192dbb6203ce15c832c0928d73ebbc9c8ebff05320ff.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1032 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.213.10:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 10.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
memory/3256-0-0x0000000074EA0000-0x0000000075650000-memory.dmp
memory/3256-1-0x0000000000BD0000-0x0000000000BE2000-memory.dmp
memory/3256-2-0x0000000074EA0000-0x0000000075650000-memory.dmp
memory/3256-3-0x0000000005520000-0x0000000005530000-memory.dmp
memory/3256-4-0x0000000005520000-0x0000000005530000-memory.dmp
memory/3256-5-0x0000000005950000-0x00000000059EC000-memory.dmp