Overview

overview

10

Static

static

3

ca047f4682...de.exe

windows7-x64

10

ca047f4682...de.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 02:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ca047f4682267a1191d703e260b8ac420953985821c328bd80ad766704149ade.exe

  • Size

    2.2MB

  • MD5

    92612e8a2fc3f5406331b171b6c3b2fa

  • SHA1

    deb4c41292cf8cf0f0187491d1eca4ebb3e47a4f

  • SHA256

    ca047f4682267a1191d703e260b8ac420953985821c328bd80ad766704149ade

  • SHA512

    c282a0ae16c1b43799744a4db1f45d229134f1e0b2008a1093f507bf89589b5624a2e0033ad54c00085cb1d80a25adee0a54e7ec19e3cfa600146ccf8aebd497

  • SSDEEP

    49152:/fCXQoEiDfuFdImBttUJkykJVdd4S1OfLKEY8CODmcjVaTofHiMpGv:/fCXQziDHmHu870S0KENlmcIMitv

Score
10/10
asyncratzgratevasionexecutionrat

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Detect ZGRat V1 2 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Async RAT payload 1 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell and hide display window.

    execution
  • Sets file to hidden 1 TTPs 3 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 15 IoCs
  • Executes dropped EXE 5 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry class 11 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\ca047f4682267a1191d703e260b8ac420953985821c328bd80ad766704149ade.exe
    "C:\Users\Admin\AppData\Local\Temp\ca047f4682267a1191d703e260b8ac420953985821c328bd80ad766704149ade.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4264
    • C:\Windows\temp\explorer.exe
      "C:\Windows\temp\explorer.exe" -p123
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1916
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5068
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "GoogleUpdate" /tr '"C:\Users\Admin\AppData\Roaming\GoogleUpdate.exe"' & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2272
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /f /sc onlogon /rl highest /tn "GoogleUpdate" /tr '"C:\Users\Admin\AppData\Roaming\GoogleUpdate.exe"'
            5⤵
            • Creates scheduled task(s)
            PID:4456
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9635.tmp.bat""
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:376
          • C:\Windows\SysWOW64\timeout.exe
            timeout 3
            5⤵
            • Delays execution with timeout.exe
            PID:3292
          • C:\Users\Admin\AppData\Roaming\GoogleUpdate.exe
            "C:\Users\Admin\AppData\Roaming\GoogleUpdate.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:3920
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer .exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer .exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:3316
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hide.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hide.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2100
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5748.tmp\hide.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hide.exe""
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3156
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.*" +s +h
            5⤵
            • Sets file to hidden
            • Drops startup file
            • Views/modifies file attributes
            PID:3108
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Users\Admin\AppData\Roaming\*.*" +s +h
            5⤵
            • Sets file to hidden
            • Views/modifies file attributes
            PID:4516
          • C:\Windows\SysWOW64\attrib.exe
            attrib *.* +s +h
            5⤵
            • Sets file to hidden
            • Drops startup file
            • Views/modifies file attributes
            PID:1876
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -WindowStyle Hidden Add-MpPreference -ExclusionPath 'c:\','d:\','e:\','f:\'.'j:\'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2832
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -WindowStyle Hidden Add-MpPreference -ExclusionProcess 'explorer .exe','UPDATE.exe','googleupdate.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4384
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -WindowStyle Hidden Set-MpPreference -SubmitSamplesConsent 2
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5032
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -WindowStyle Hidden Set-MpPreference -SubmitSamplesConsent NeverSend
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1656
          • C:\Windows\SysWOW64\reg.exe
            REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off"
            5⤵
              PID:4832
            • C:\Windows\SysWOW64\reg.exe
              REG ADD "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\ Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 1
              5⤵
              • Modifies registry class
              PID:4520
            • C:\Windows\SysWOW64\reg.exe
              REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\AppHost" /v EnableWebContentEvaluation /t REG_DWORD /d 0
              5⤵
                PID:4816

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        968cb9309758126772781b83adb8a28f

        SHA1

        8da30e71accf186b2ba11da1797cf67f8f78b47c

        SHA256

        92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

        SHA512

        4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        18KB

        MD5

        960561607092b84818eb3b56a7312462

        SHA1

        1e66c8efa39d2bdaac13e133072d98fbdba44877

        SHA256

        c3318e5c97eb053791061b68c65a65060c28fa2c1f8479cdaca46529ea0c19ef

        SHA512

        d23a10386d6a716bd4b0ea3822cd5eb436c8b30f99ec16eae6661be198db162a1032937ff4377af997ac7a9004f814f8c4170329808e11c13efc4b370716aa77

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        18KB

        MD5

        a62368686a6932cf3b5df2c7069bcb36

        SHA1

        f5ce38c79eeb40e85f67b44fb66394222cd16378

        SHA256

        74896ad97b59cce4415968f3e1199dee39547c95e5c1ae05357faec8af60f79b

        SHA512

        e22eae268e522ee1c64cf0b7f538439e324a7aedcc759122436230fa97f28dfbad6bb557e25610845ea9d59bcae137861aaef711647ba14913d85c4d507a6314

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        18KB

        MD5

        19134fc9400eec71d9f74a0c79f2dffd

        SHA1

        dd21822c12f5ef22c0a7e265ef728590824aea5f

        SHA256

        55819c92c9b58551d3e01c2a2868e58d1e4619fb14da46182e5accaa886e6501

        SHA512

        d56a53cdf522c679b1a0d759c08612212f421f412a1607bbe5a107bd1832f5ad46178c2a2baa0172233e5608e4abb7590b0d6c5ede9257f0cfd267aaf70d26ee

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\5748.tmp\hide.bat
        Filesize

        955B

        MD5

        fdc8f1d8d7b410678433976973ea8e76

        SHA1

        1572ec51ef38b39e4702f993a25cf1cbb5914fda

        SHA256

        462648eaf83a1385b957078d3ee40e5c1ffcc00f80cee3456c02a38d992f0c7b

        SHA512

        b8c6dd7ba66a0867c3fbc8bcacd1ac9fb67e9548174258ca1f7363ca95d3c39771c12cb0b4d121f0d1e9fe6208c00f21c47fb9a4d100351706fb5e0e1f4bcf1e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vxwgv150.ufi.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp9635.tmp.bat
        Filesize

        156B

        MD5

        33d6fa6f6e2e2bdd1803dedbde9ed3cf

        SHA1

        6d8870a57d572a77ff40caf46673ce77634b6df8

        SHA256

        a7e9583d5608f894a2ebf5af1f5d5d62fa01865aaabb70b51b8d7630bf8aebad

        SHA512

        c2d05de7d63477ad0e5dea4bd8698fb36a7eb6e86fcbfa086ba12fe723e62b345d9f4a41bef928d9ea6464872d1d30a343b842284d4076e4363682b74b45312d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer .exe
        Filesize

        2.2MB

        MD5

        570c5c4f037ad11d8e3e51d2e9cf5be0

        SHA1

        0f7e2478ef2741f3e6460bf6b5fa6c135a6c0fc8

        SHA256

        0c2b77e6f72dd5736aafaddc75cdee19cde2bd621d0c0c93aae517a29de4e237

        SHA512

        3e5243394ec602098dd11ef77f3ddc0b51d01a8a1ffd829f29b31c237f5e9cf3c011463e619fdc6206bfbee6f0cf43fb681392fd9e1bd35a186e8a059b0beae5

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UPDATE.exe
        Filesize

        1.2MB

        MD5

        3a7327b010d7f41fdb759fdbaf8134bf

        SHA1

        ddb00f2c736bad53e82f1ef69919314aaf888131

        SHA256

        519a0fb3e4753c330054153fc8813bbfbac63c7ce32afe110c5dc558ec6909fa

        SHA512

        8abfb42add40eadae4aaf5f04edb989f79e6f2d7b080064d488852654f4c17ec08a16cfcfa3947dbf6bf721f113487ef781492d40b281a9a9810946430fd9f90

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hide.exe
        Filesize

        46KB

        MD5

        799ce66446d07f987d0e84e50bac4e1f

        SHA1

        957f18dd1e9047b36c504752fea23b489dd7c4ae

        SHA256

        29eb1c9a192e737c103da9f99ca3e8ed722fe36d5c3073be006867bb0dc58ca2

        SHA512

        edd9d33a7fcb765eee0a32a468ac3418f6c23976395b753becafc7bdac160970b89884500d626c5f1476a54f8a3e25bd749c51b956de6ac546efa93a468842de

        Download Submit

      • C:\Windows\Temp\explorer.exe
        Filesize

        2.3MB

        MD5

        645c4a1777edc25cbf67a5a5945e3311

        SHA1

        4985ee60a642ecf0be9b60ab137f30d388c2f9f8

        SHA256

        f5557bd3226c5973126b6dd4f2b6cf17b672482b38a77dd995ef1e52958b671c

        SHA512

        999d55213a7c8cfbdebcffde20e8143113940fc350342e88c3f53f839a0bb39786327bcfe40cc9ea9c5f4e98b94ba4302e8f925e1263e5e05007686e05004775

        Download Submit

      • memory/1656-145-0x0000000073B00000-0x0000000073B4C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2832-79-0x00000000071E0000-0x0000000007283000-memory.dmp

        Filesize

        652KB

        Download

      • memory/2832-84-0x0000000007520000-0x0000000007531000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2832-52-0x00000000050A0000-0x00000000050C2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2832-53-0x00000000052C0000-0x0000000005326000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2832-54-0x0000000005960000-0x00000000059C6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2832-50-0x00000000026C0000-0x00000000026F6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2832-64-0x00000000059D0000-0x0000000005D24000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2832-65-0x0000000005FE0000-0x0000000005FFE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2832-66-0x0000000006020000-0x000000000606C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2832-67-0x0000000006FA0000-0x0000000006FD2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/2832-68-0x0000000073B00000-0x0000000073B4C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2832-78-0x00000000065C0000-0x00000000065DE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2832-88-0x0000000007590000-0x0000000007598000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2832-81-0x0000000007330000-0x000000000734A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2832-80-0x0000000007970000-0x0000000007FEA000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/2832-82-0x00000000073A0000-0x00000000073AA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2832-83-0x00000000075B0000-0x0000000007646000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2832-51-0x0000000005330000-0x0000000005958000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/2832-85-0x0000000007550000-0x000000000755E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2832-86-0x0000000007560000-0x0000000007574000-memory.dmp

        Filesize

        80KB

        Download

      • memory/2832-87-0x0000000007650000-0x000000000766A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3316-44-0x0000000000980000-0x0000000000BB8000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/3920-172-0x0000000000FD0000-0x000000000137E000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/3920-168-0x0000000000FD0000-0x000000000137E000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/3920-167-0x0000000000FD0000-0x000000000137E000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/4264-1-0x00007FFF07973000-0x00007FFF07975000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4264-169-0x00007FFF07970000-0x00007FFF08431000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4264-0-0x00000000003B0000-0x00000000005F0000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4264-8-0x00007FFF07970000-0x00007FFF08431000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4264-2-0x000000001B2D0000-0x000000001B520000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/4384-102-0x0000000073B00000-0x0000000073B4C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/5032-124-0x0000000073B00000-0x0000000073B4C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/5032-113-0x0000000005670000-0x00000000059C4000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/5068-162-0x0000000000BD0000-0x0000000000F7E000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/5068-32-0x0000000000BD0000-0x0000000000F7E000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/5068-43-0x0000000000BD0000-0x0000000000F7E000-memory.dmp

        Filesize

        3.7MB

        Download