Overview

overview

10

Static

static

1

47e6542e23...in.exe

windows7-x64

10

47e6542e23...in.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 08:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    47e6542e234e5ffed88732519f19008c.bin.exe

  • Size

    680KB

  • MD5

    47e6542e234e5ffed88732519f19008c

  • SHA1

    b3dd01bf81d5b4b9595c13032d0fc8006dbc7e64

  • SHA256

    ae55dc186e2373b964f1d84fd51aa7692fdb2994cc163128b97631c3ba7f7066

  • SHA512

    98e4ddd035c81623ba2dcc5fc4ca58da3aa6ba10c7bce25ab0a00e7737c11152d6a77507c859f7f369be8fc456189acb5fe90a55064a5bf790e06662f3b589ce

  • SSDEEP

    12288:+Xplx92r2O9Ycny57ohEDGtnXCkgybsySO+TbQnpNwMfgriFg3ikzA6pVPbi81kR:oFTCy5XityUWXUNwMfgrV3ikz8

Score
10/10
asyncratdefaultexecutionrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

198.55.115.39:6606

198.55.115.39:7707

198.55.115.39:8808
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    Wndfnder.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\47e6542e234e5ffed88732519f19008c.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\47e6542e234e5ffed88732519f19008c.bin.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4940
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GGyIJkQ.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4648
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GGyIJkQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6BE9.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4784
    • C:\Users\Admin\AppData\Local\Temp\47e6542e234e5ffed88732519f19008c.bin.exe
      "C:\Users\Admin\AppData\Local\Temp\47e6542e234e5ffed88732519f19008c.bin.exe"
      2⤵
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1216
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Wndfnder" /tr '"C:\Users\Admin\AppData\Roaming\Wndfnder.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1572
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "Wndfnder" /tr '"C:\Users\Admin\AppData\Roaming\Wndfnder.exe"'
          4⤵
          • Creates scheduled task(s)
          PID:5096
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7D0F.tmp.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4180
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:704
        • C:\Users\Admin\AppData\Roaming\Wndfnder.exe
          "C:\Users\Admin\AppData\Roaming\Wndfnder.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2172
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GGyIJkQ.exe"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4968
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GGyIJkQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBF29.tmp"
            5⤵
            • Creates scheduled task(s)
            PID:3232
          • C:\Users\Admin\AppData\Roaming\Wndfnder.exe
            "C:\Users\Admin\AppData\Roaming\Wndfnder.exe"
            5⤵
            • Executes dropped EXE
            PID:5028
          • C:\Users\Admin\AppData\Roaming\Wndfnder.exe
            "C:\Users\Admin\AppData\Roaming\Wndfnder.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2244

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\47e6542e234e5ffed88732519f19008c.bin.exe.log
    Filesize

    1KB

    MD5

    b7b9acb869ccc7f7ecb5304ec0384dee

    SHA1

    6a90751c95817903ee833d59a0abbef425a613b3

    SHA256

    8cb00a15cd942a1861c573d86d6fb430512c8e2f80f6349f48b16b8709ca7aa4

    SHA512

    7bec881ac5f59ac26f1be1e7e26d63f040c06369de10c1c246e531a4395d27c335d9acc647ecdedb48ed37bdc2dc405a4cfc11762e1c00659a49be259eaf8764

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    968cb9309758126772781b83adb8a28f

    SHA1

    8da30e71accf186b2ba11da1797cf67f8f78b47c

    SHA256

    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

    SHA512

    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    80bcb9665e4d7464f590db14864c08ca

    SHA1

    f974b84442e2176c85c0806dd02c3da317f93ed3

    SHA256

    e24c92c39d55ccf55ab1fa4867a05179d5bff19ec35a604a9b8a9a7e0e774471

    SHA512

    5a60f2277880f74746d4be0e720047ac35de0a958c72ee72c07ae9ff06df9a71f7360eff6d01752b88b03d603560c010a82e80dd8c51740c12ab4be23b4282a8

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cgkgypvz.ozz.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp6BE9.tmp
    Filesize

    1KB

    MD5

    d1c3d178aa0f58e55d95014bdeed61b0

    SHA1

    92ac641c3c620159cb234d90f08a83c3489562af

    SHA256

    cdf332469f41ac286c31fa21c826e1ef1a059f2144d785e2f5fab649167ac94a

    SHA512

    300ecbd54099891f88b183e054ecaa76f0179e666a54a9342dc6cb35281b0fbb84efdbc52be0782bcc2e928e24a0ba622261b66961272ea23c60bb77001e750c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp7D0F.tmp.bat
    Filesize

    152B

    MD5

    2c966678eb26c92c859d136f4f776508

    SHA1

    ace4bbaf22a6777a7f169dba79dc89952a6c894d

    SHA256

    00a5ea4cbd18a9d33e000a2ea09f2f5cafec0b9a9a1a066909822c06a3d40df8

    SHA512

    6aa84a46abc6a7cca5da2fad14b050e28583298ab25c905f1e35820ac88f5ecf76e6b76344553b9059d121f3ea441e93bbac1ea2c21e14bcb16e23dcd18aae10

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Wndfnder.exe
    Filesize

    680KB

    MD5

    47e6542e234e5ffed88732519f19008c

    SHA1

    b3dd01bf81d5b4b9595c13032d0fc8006dbc7e64

    SHA256

    ae55dc186e2373b964f1d84fd51aa7692fdb2994cc163128b97631c3ba7f7066

    SHA512

    98e4ddd035c81623ba2dcc5fc4ca58da3aa6ba10c7bce25ab0a00e7737c11152d6a77507c859f7f369be8fc456189acb5fe90a55064a5bf790e06662f3b589ce

    Download Submit
  • memory/1216-32-0x0000000000400000-0x0000000000432000-memory.dmp
    Filesize

    200KB

    Download
  • memory/2172-70-0x0000000008390000-0x00000000086E4000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/4648-38-0x0000000075270000-0x00000000752BC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/4648-50-0x0000000008010000-0x000000000868A000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/4648-15-0x00000000050F0000-0x0000000005126000-memory.dmp
    Filesize

    216KB

    Download
  • memory/4648-16-0x00000000749C0000-0x0000000075170000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4648-17-0x0000000005760000-0x0000000005D88000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/4648-61-0x00000000749C0000-0x0000000075170000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4648-19-0x00000000056F0000-0x0000000005712000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4648-28-0x00000000749C0000-0x0000000075170000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4648-58-0x0000000007CF0000-0x0000000007CF8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/4648-21-0x0000000006070000-0x00000000060D6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4648-20-0x0000000006000000-0x0000000006066000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4648-57-0x0000000007D10000-0x0000000007D2A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/4648-56-0x0000000007C10000-0x0000000007C24000-memory.dmp
    Filesize

    80KB

    Download
  • memory/4648-35-0x00000000066C0000-0x00000000066DE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4648-36-0x00000000066E0000-0x000000000672C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/4648-55-0x0000000007C00000-0x0000000007C0E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/4648-37-0x0000000007850000-0x0000000007882000-memory.dmp
    Filesize

    200KB

    Download
  • memory/4648-48-0x0000000006C60000-0x0000000006C7E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4648-49-0x0000000007890000-0x0000000007933000-memory.dmp
    Filesize

    652KB

    Download
  • memory/4648-54-0x0000000007BD0000-0x0000000007BE1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/4648-51-0x00000000079D0000-0x00000000079EA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/4648-52-0x0000000007A40000-0x0000000007A4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4648-53-0x0000000007C50000-0x0000000007CE6000-memory.dmp
    Filesize

    600KB

    Download
  • memory/4940-4-0x0000000007B50000-0x0000000007EA4000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/4940-8-0x00000000074B0000-0x00000000074C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4940-10-0x0000000005D10000-0x0000000005DAC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/4940-7-0x00000000074F0000-0x000000000750A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/4940-3-0x00000000070D0000-0x0000000007162000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4940-9-0x0000000008970000-0x00000000089E4000-memory.dmp
    Filesize

    464KB

    Download
  • memory/4940-6-0x00000000072D0000-0x00000000072DA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4940-2-0x00000000075A0000-0x0000000007B44000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4940-34-0x00000000749C0000-0x0000000075170000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4940-0-0x00000000749CE000-0x00000000749CF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4940-5-0x00000000749C0000-0x0000000075170000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4940-1-0x0000000000160000-0x000000000020C000-memory.dmp
    Filesize

    688KB

    Download
  • memory/4968-88-0x00000000061B0000-0x00000000061FC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/4968-89-0x00000000752A0000-0x00000000752EC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/4968-99-0x00000000073B0000-0x0000000007453000-memory.dmp
    Filesize

    652KB

    Download
  • memory/4968-100-0x0000000007660000-0x0000000007671000-memory.dmp
    Filesize

    68KB

    Download
  • memory/4968-101-0x00000000076B0000-0x00000000076C4000-memory.dmp
    Filesize

    80KB

    Download