Analysis Overview
SHA256
9864678182d8d06ed1bebd8aad901cab4f77cfced7547f5e365e8c1854ef2cdf
Threat Level: Known bad
The file Cranium.exe was found to be: Known bad.
Malicious Activity Summary
Async RAT payload
AsyncRat
Asyncrat family
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-30 18:54
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 18:54
Reported
2024-05-30 19:30
Platform
win11-20240426-en
Max time kernel
550s
Max time network
1173s
Command Line
Signatures
AsyncRat
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | 5.tcp.eu.ngrok.io | N/A | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Cranium.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Cranium.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Cranium.exe
"C:\Users\Admin\AppData\Local\Temp\Cranium.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Cranium"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAC75.tmp.bat""
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /f /tn "Cranium"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 3.67.161.133:17731 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.67.161.133:17731 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.67.161.133:17731 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.67.161.133:17731 | 5.tcp.eu.ngrok.io | tcp |
Files
memory/2616-0-0x000000007469E000-0x000000007469F000-memory.dmp
memory/2616-1-0x00000000000C0000-0x00000000000D2000-memory.dmp
memory/2616-2-0x0000000074690000-0x0000000074E41000-memory.dmp
memory/2616-3-0x0000000004B60000-0x0000000004BC6000-memory.dmp
memory/2616-4-0x0000000004FB0000-0x000000000504C000-memory.dmp
memory/2616-7-0x00000000060A0000-0x0000000006646000-memory.dmp
memory/2616-8-0x000000007469E000-0x000000007469F000-memory.dmp
memory/2616-9-0x0000000074690000-0x0000000074E41000-memory.dmp
memory/2616-10-0x0000000005C70000-0x0000000005CE6000-memory.dmp
memory/2616-11-0x0000000005C00000-0x0000000005C68000-memory.dmp
memory/2616-12-0x0000000005DF0000-0x0000000005E0E000-memory.dmp
memory/2616-13-0x0000000005F30000-0x0000000005FC2000-memory.dmp
memory/2616-14-0x0000000004E70000-0x0000000004ED4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpAC75.tmp.bat
| MD5 | aa079fb13e8a44098f225862fdc17996 |
| SHA1 | 3fba0e961fa6ae61c1aa3f188252ec3a0eacbd5a |
| SHA256 | 2c174781add13197d6cdad931444cab7cafafa6d810726c2538cbc9b3e425558 |
| SHA512 | 7ea8ef936955a3b41de54249e32f4cd07b8dd48a55518dab9776d6d39bf78e707291ddc4b35d24b7566514b303509e6c2389cd5ba00f50a372b3cd4c76203097 |
memory/2616-19-0x0000000074690000-0x0000000074E41000-memory.dmp