Overview

overview

10

Static

static

10

fixer.exe

windows7-x64

10

fixer.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-04-2024 19:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fixer.exe

  • Size

    49KB

  • MD5

    041086a69579dc26514645814a4bba5c

  • SHA1

    07c7bf2bf5953ba3369ab727ff8a06e93fc2ccfd

  • SHA256

    c633b31880ac53ee6282c0d7a7daae5c9ecc024055de85b77a17ffe9be5ebe08

  • SHA512

    07a18aa25f2b201613e26c5c50aef20b8d2d77b2a89ac983ee00d4ed223f6dbdec424b673735baa22b76d6fb31367de912ad56e8066c8e470bcb886e1959dd77

  • SSDEEP

    768:aBxKJlVRLxt5A0fjXiqVNcr4Lp2FimUbgCxB/yzuoxGZkpqKYhY7:f37/jXi+L7NECvyzz4kpqKmY7

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:35259

147.185.221.19:35259
Attributes
  • delay

    1

  • install

    true

  • install_file

    MS_EDGE_TEMP_.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 3 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\fixer.exe
    "C:\Users\Admin\AppData\Local\Temp\fixer.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4268
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "MS_EDGE_TEMP_" /tr '"C:\Users\Admin\AppData\Roaming\MS_EDGE_TEMP_.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2644
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "MS_EDGE_TEMP_" /tr '"C:\Users\Admin\AppData\Roaming\MS_EDGE_TEMP_.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:3320
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD273.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3156
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:4756
      • C:\Users\Admin\AppData\Roaming\MS_EDGE_TEMP_.exe
        "C:\Users\Admin\AppData\Roaming\MS_EDGE_TEMP_.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1016

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpD273.tmp.bat
    Filesize

    157B

    MD5

    d72153d93e5c2de449554e4789c3aab1

    SHA1

    eb44e8671ed69f9ce27bba3462644b4bbf4422f9

    SHA256

    17900eaaf4a5f806a1547b1d2f732feaf4878d1f66b63071792beace80bc4e5f

    SHA512

    f0bb5b11cdde79ed91581d3bec5e0864dd1a2414c6471016ccac6d750d26bab19247651b60dab7a6c378b30a30949fd4f97ba655d18a575a4e5a57028352a557

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MS_EDGE_TEMP_.exe
    Filesize

    49KB

    MD5

    041086a69579dc26514645814a4bba5c

    SHA1

    07c7bf2bf5953ba3369ab727ff8a06e93fc2ccfd

    SHA256

    c633b31880ac53ee6282c0d7a7daae5c9ecc024055de85b77a17ffe9be5ebe08

    SHA512

    07a18aa25f2b201613e26c5c50aef20b8d2d77b2a89ac983ee00d4ed223f6dbdec424b673735baa22b76d6fb31367de912ad56e8066c8e470bcb886e1959dd77

    Download Submit

  • memory/1016-20-0x000000001B6D0000-0x000000001B6E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1016-19-0x00007FF84C860000-0x00007FF84D321000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1016-18-0x000000001B6D0000-0x000000001B6E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1016-17-0x00000000010C0000-0x00000000010D6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1016-16-0x00007FF84C860000-0x00007FF84D321000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4268-3-0x000000001BA80000-0x000000001BA90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4268-11-0x00007FF86AAD0000-0x00007FF86ACC5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4268-10-0x00007FF84CA60000-0x00007FF84D521000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4268-9-0x00007FF857DC0000-0x00007FF857DD9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/4268-6-0x00007FF86AAD0000-0x00007FF86ACC5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4268-0-0x0000000000CD0000-0x0000000000CE2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4268-2-0x00007FF84CA60000-0x00007FF84D521000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4268-1-0x0000000001280000-0x0000000001296000-memory.dmp

    Filesize

    88KB

    Download