Analysis
-
max time kernel
140s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 21:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9211293FDF6164567C9C0557CF200057.exe
Resource
win7-20240508-en
4 signatures
150 seconds
General
-
Target
9211293FDF6164567C9C0557CF200057.exe
-
Size
91KB
-
MD5
9211293fdf6164567c9c0557cf200057
-
SHA1
cef794bc498b0b4ffea444c8f0bd002f0ad717bc
-
SHA256
4f9ae5b89c89e5c79c53db694d4d67e2d9b3c47c7389c8c3899dedbc9e92be76
-
SHA512
bc858a5bf2f61a84718c204b1b3cef8883e91d88f5ca3f974b9531f433e44b62d2d7474a8f5f65213703146603ff531a5441a2640c7c63bf0e3b05de0671a609
-
SSDEEP
1536:nMZI65tohmg4x4mRpkKzk9c/8a95TmjsqeEPQk4SfV:nMuHdOpkKzuc/8afmjsqeEPQk4S9
Malware Config
Extracted
Family
asyncrat
Version
0.5.8
Botnet
OS
C2
20.117.108.240:7825
Mutex
IOr8QBoiV215
Attributes
-
delay
3
-
install
false
-
install_folder
%AppData%
aes.plain
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
9211293FDF6164567C9C0557CF200057.exedescription pid process target process PID 1880 set thread context of 1928 1880 9211293FDF6164567C9C0557CF200057.exe RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 1928 RegAsm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
9211293FDF6164567C9C0557CF200057.exedescription pid process target process PID 1880 wrote to memory of 1928 1880 9211293FDF6164567C9C0557CF200057.exe RegAsm.exe PID 1880 wrote to memory of 1928 1880 9211293FDF6164567C9C0557CF200057.exe RegAsm.exe PID 1880 wrote to memory of 1928 1880 9211293FDF6164567C9C0557CF200057.exe RegAsm.exe PID 1880 wrote to memory of 1928 1880 9211293FDF6164567C9C0557CF200057.exe RegAsm.exe PID 1880 wrote to memory of 1928 1880 9211293FDF6164567C9C0557CF200057.exe RegAsm.exe PID 1880 wrote to memory of 1928 1880 9211293FDF6164567C9C0557CF200057.exe RegAsm.exe PID 1880 wrote to memory of 1928 1880 9211293FDF6164567C9C0557CF200057.exe RegAsm.exe PID 1880 wrote to memory of 1928 1880 9211293FDF6164567C9C0557CF200057.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9211293FDF6164567C9C0557CF200057.exe"C:\Users\Admin\AppData\Local\Temp\9211293FDF6164567C9C0557CF200057.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#system322⤵
- Suspicious use of AdjustPrivilegeToken
PID:1928
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:81⤵PID:4940