Analysis Overview
SHA256
1927065a2b1ff2bd296dabbc9c444552409450d1d3e567ac5b3d9d4a24cb06fe
Threat Level: Known bad
The file One-armed Hacker.exe was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Async RAT payload
Asyncrat family
Async RAT payload
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Enumerates physical storage devices
Unsigned PE
Delays execution with timeout.exe
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-01 21:01
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 21:01
Reported
2024-06-01 21:04
Platform
win7-20240221-en
Max time kernel
148s
Max time network
126s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Intel WIFI.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Intel WIFI.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Intel WIFI" /tr '"C:\Users\Admin\AppData\Roaming\Intel WIFI.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpAB2D.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Intel WIFI" /tr '"C:\Users\Admin\AppData\Roaming\Intel WIFI.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\Intel WIFI.exe
"C:\Users\Admin\AppData\Roaming\Intel WIFI.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp |
Files
memory/1712-0-0x00000000745EE000-0x00000000745EF000-memory.dmp
memory/1712-1-0x00000000000D0000-0x00000000000E2000-memory.dmp
memory/1712-2-0x00000000745E0000-0x0000000074CCE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpAB2D.tmp.bat
| MD5 | 387872e894519b3b91df99835dfb83b9 |
| SHA1 | 8e6a008e107c5850a3e3312cc2f7f40f405acc4f |
| SHA256 | 80fbcf3a34317c29e786714da3081e0a51f9389191acfe71740bed774bda7b31 |
| SHA512 | dcf306cc58040f136014f753143fc948fcc1297a8ae537a7a66d9a63465dac478b1ad6071b17095c188f7c337d4681982ea331577b1572d190b623d5ab80a3f0 |
memory/1712-12-0x00000000745E0000-0x0000000074CCE000-memory.dmp
\Users\Admin\AppData\Roaming\Intel WIFI.exe
| MD5 | 8753bac20e412415ebee30d7bbcd88fd |
| SHA1 | 682558771fc44df1eaa76fefb01a8a5e4b6e1d77 |
| SHA256 | 1927065a2b1ff2bd296dabbc9c444552409450d1d3e567ac5b3d9d4a24cb06fe |
| SHA512 | efa3003fa957e907804c0c651c8e35a95422b1752efad848aa8df6b0924bc776c4777823f8dd03ba7adca963b4be85c9692d515694c2867786f2b7afd9e4e8f5 |
memory/2420-16-0x0000000000850000-0x0000000000862000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 21:01
Reported
2024-06-01 21:02
Platform
win10v2004-20240426-en
Max time kernel
67s
Max time network
66s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Intel WIFI.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Intel WIFI.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Intel WIFI" /tr '"C:\Users\Admin\AppData\Roaming\Intel WIFI.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp50CF.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Intel WIFI" /tr '"C:\Users\Admin\AppData\Roaming\Intel WIFI.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\Intel WIFI.exe
"C:\Users\Admin\AppData\Roaming\Intel WIFI.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp |
Files
memory/4536-0-0x000000007540E000-0x000000007540F000-memory.dmp
memory/4536-1-0x00000000008B0000-0x00000000008C2000-memory.dmp
memory/4536-2-0x0000000075400000-0x0000000075BB0000-memory.dmp
memory/4536-3-0x0000000005250000-0x00000000052B6000-memory.dmp
memory/4536-4-0x00000000056A0000-0x000000000573C000-memory.dmp
memory/4536-9-0x0000000075400000-0x0000000075BB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp50CF.tmp.bat
| MD5 | 4f855eb7bae5f62b2e77745f673a2e14 |
| SHA1 | b034422f0e54d1d95e0ae1a1f1bfe2cfda66276b |
| SHA256 | 1c665ec9fdab18b88ab39e0ab118e46178c6d932e113edea906af4888d3db093 |
| SHA512 | c9ed616e3d0b13f1b9fe8e3fc219a063738eefdcfcce98b0c3f9c447408b7bb2aec43084bb64fed437c2b8bbc87c55e4c780ac1d968f6e5a4c91ce7f9dd23f56 |
C:\Users\Admin\AppData\Roaming\Intel WIFI.exe
| MD5 | 8753bac20e412415ebee30d7bbcd88fd |
| SHA1 | 682558771fc44df1eaa76fefb01a8a5e4b6e1d77 |
| SHA256 | 1927065a2b1ff2bd296dabbc9c444552409450d1d3e567ac5b3d9d4a24cb06fe |
| SHA512 | efa3003fa957e907804c0c651c8e35a95422b1752efad848aa8df6b0924bc776c4777823f8dd03ba7adca963b4be85c9692d515694c2867786f2b7afd9e4e8f5 |
memory/2916-14-0x0000000075400000-0x0000000075BB0000-memory.dmp
memory/2916-15-0x0000000075400000-0x0000000075BB0000-memory.dmp