Overview

overview

10

Static

static

10

97f70b6807...90.exe

windows7-x64

10

97f70b6807...90.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-04-2024 18:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    97f70b6807192398746dd93449c2fdf4353533313c021aca4d0aa5e74f82d990.exe

  • Size

    65KB

  • MD5

    3712477f2075218e74bdf987b23b578d

  • SHA1

    95d8ef64bfc80a2cda65a4992a63083988207f67

  • SHA256

    97f70b6807192398746dd93449c2fdf4353533313c021aca4d0aa5e74f82d990

  • SHA512

    1a767e93ca25f0117864a5c3e1eced57a8142d5fc3d300f64f2460aac3e13ae826fc06aba195f75184651f06a76ad8f2c7adeb35ff297dc7a2ce55b9503e2e8f

  • SSDEEP

    1536:dumO1TQq726uw/O2CenkR7bExca0tICKfX5WxHd5w:dumaTQq725w/bCenkVbExzCKfX8xHjw

Score
10/10
asyncratheirat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Hei

Mutex

r6rQyqJg4Z3n

Attributes
  • c2_url_file

    http://d.sso.mom:18086/SSIP.html

  • delay

    3

  • install

    true

  • install_file

    Micrcsoft.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\97f70b6807192398746dd93449c2fdf4353533313c021aca4d0aa5e74f82d990.exe
    "C:\Users\Admin\AppData\Local\Temp\97f70b6807192398746dd93449c2fdf4353533313c021aca4d0aa5e74f82d990.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3272
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Micrcsoft" /tr '"C:\Users\Admin\AppData\Roaming\Micrcsoft.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4764
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "Micrcsoft" /tr '"C:\Users\Admin\AppData\Roaming\Micrcsoft.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:4036
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp47D6.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2204
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:1496
      • C:\Users\Admin\AppData\Roaming\Micrcsoft.exe
        "C:\Users\Admin\AppData\Roaming\Micrcsoft.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3368

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp47D6.tmp.bat
    Filesize

    153B

    MD5

    2ef836f56725e2d3a713dcca9511c0b9

    SHA1

    1f525f6d2b34e665837065f00d8c0190d6d36ff9

    SHA256

    59f7707444a5c4471e22f0b30e96a3bac7d62d7089afab0de57f8a0f87481175

    SHA512

    0cf0450e810b7e755e5d441232fea4a7587219e88fc16d967eadf2306d1eaa6497b13ced735a573f6fd129e39ab336d876ebb265008251faffab02f5f9f3e254

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Micrcsoft.exe
    Filesize

    65KB

    MD5

    3712477f2075218e74bdf987b23b578d

    SHA1

    95d8ef64bfc80a2cda65a4992a63083988207f67

    SHA256

    97f70b6807192398746dd93449c2fdf4353533313c021aca4d0aa5e74f82d990

    SHA512

    1a767e93ca25f0117864a5c3e1eced57a8142d5fc3d300f64f2460aac3e13ae826fc06aba195f75184651f06a76ad8f2c7adeb35ff297dc7a2ce55b9503e2e8f

    Download Submit

  • memory/3272-0-0x0000000000E80000-0x0000000000E96000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3272-1-0x0000000074500000-0x0000000074CB0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3272-2-0x00000000057F0000-0x0000000005800000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3272-3-0x00000000058A0000-0x000000000593C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3272-8-0x0000000074500000-0x0000000074CB0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3368-13-0x0000000074460000-0x0000000074C10000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3368-14-0x00000000051F0000-0x0000000005200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3368-15-0x0000000074460000-0x0000000074C10000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3368-16-0x00000000051F0000-0x0000000005200000-memory.dmp

    Filesize

    64KB

    Download