Analysis Overview
SHA256
ecc6b2506aeaac13da0562a6a5d35c802eea9c6232c49cc4583d7c5c13bbbc0f
Threat Level: Known bad
The file ecc6b2506aeaac13da0562a6a5d35c802eea9c6232c49cc4583d7c5c13bbbc0f was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Drops startup file
Executes dropped EXE
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-16 09:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-16 09:46
Reported
2024-06-16 09:48
Platform
win10v2004-20240611-en
Max time kernel
147s
Max time network
146s
Command Line
Signatures
AsyncRat
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ecc6b2506aeaac13da0562a6a5d35c802eea9c6232c49cc4583d7c5c13bbbc0f.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Taskbar.lnk | C:\Users\Admin\AppData\Local\Temp\ecc6b2506aeaac13da0562a6a5d35c802eea9c6232c49cc4583d7c5c13bbbc0f.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Taskbar.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4008 set thread context of 4092 | N/A | C:\Users\Admin\AppData\Roaming\Windows Taskbar.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ecc6b2506aeaac13da0562a6a5d35c802eea9c6232c49cc4583d7c5c13bbbc0f.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Taskbar.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ecc6b2506aeaac13da0562a6a5d35c802eea9c6232c49cc4583d7c5c13bbbc0f.exe
"C:\Users\Admin\AppData\Local\Temp\ecc6b2506aeaac13da0562a6a5d35c802eea9c6232c49cc4583d7c5c13bbbc0f.exe"
C:\Users\Admin\AppData\Roaming\Windows Taskbar.exe
"C:\Users\Admin\AppData\Roaming\Windows Taskbar.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 161.58.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | surveyedgesoft.com | udp |
| US | 8.8.8.8:53 | surveyedgesoft.com | udp |
| US | 8.8.8.8:53 | surveyedgesoft.com | udp |
| US | 8.8.8.8:53 | surveyedgesoft.com | udp |
| US | 8.8.8.8:53 | surveyedgesoft.com | udp |
| US | 8.8.8.8:53 | surveyedgesoft.com | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | surveyedgesoft.com | udp |
| US | 8.8.8.8:53 | surveyedgesoft.com | udp |
| US | 8.8.8.8:53 | surveyedgesoft.com | udp |
| US | 8.8.8.8:53 | surveyedgesoft.com | udp |
| US | 8.8.8.8:53 | surveyedgesoft.com | udp |
| US | 8.8.8.8:53 | surveyedgesoft.com | udp |
| US | 8.8.8.8:53 | surveyedgesoft.com | udp |
| US | 8.8.8.8:53 | surveyedgesoft.com | udp |
| US | 8.8.8.8:53 | surveyedgesoft.com | udp |
Files
memory/984-0-0x000000007470E000-0x000000007470F000-memory.dmp
memory/984-1-0x0000000000E90000-0x0000000000F16000-memory.dmp
memory/984-2-0x0000000005550000-0x0000000005AF4000-memory.dmp
memory/984-3-0x0000000004EB0000-0x0000000004F42000-memory.dmp
memory/984-4-0x0000000005040000-0x00000000050DC000-memory.dmp
memory/984-5-0x0000000074700000-0x0000000074EB0000-memory.dmp
memory/984-6-0x0000000007B50000-0x0000000007E12000-memory.dmp
memory/984-7-0x00000000027F0000-0x00000000027F6000-memory.dmp
memory/984-8-0x0000000007A20000-0x0000000007A2A000-memory.dmp
memory/984-9-0x0000000074700000-0x0000000074EB0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Windows Taskbar.exe
| MD5 | 0ee9a0317342d545c2bfd9e3fbd627f9 |
| SHA1 | b75bbb5092930bbbe83de54a50805bf1a7445762 |
| SHA256 | ecc6b2506aeaac13da0562a6a5d35c802eea9c6232c49cc4583d7c5c13bbbc0f |
| SHA512 | 929153c2589614b4495e4c7e40e07ee3c3f8b2557927aacde1e7ec8828a14162ca47c573822a201633b535d65adc1025d8bc3e730f51160759cc3af2ed6d3c70 |
memory/4008-25-0x0000000074700000-0x0000000074EB0000-memory.dmp
memory/984-27-0x0000000074700000-0x0000000074EB0000-memory.dmp
memory/4008-26-0x0000000000C80000-0x0000000000D06000-memory.dmp
memory/4008-28-0x0000000074700000-0x0000000074EB0000-memory.dmp
memory/4008-29-0x0000000074700000-0x0000000074EB0000-memory.dmp
memory/4008-30-0x00000000079F0000-0x0000000007A0A000-memory.dmp
memory/4008-31-0x0000000007AD0000-0x0000000007AD6000-memory.dmp
memory/4008-32-0x0000000074700000-0x0000000074EB0000-memory.dmp
memory/4008-33-0x0000000074700000-0x0000000074EB0000-memory.dmp
memory/4092-34-0x0000000000400000-0x0000000000418000-memory.dmp
memory/4092-36-0x0000000074700000-0x0000000074EB0000-memory.dmp
memory/4008-37-0x0000000074700000-0x0000000074EB0000-memory.dmp
memory/4092-39-0x0000000074700000-0x0000000074EB0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-16 09:46
Reported
2024-06-16 09:48
Platform
win11-20240508-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ecc6b2506aeaac13da0562a6a5d35c802eea9c6232c49cc4583d7c5c13bbbc0f.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ecc6b2506aeaac13da0562a6a5d35c802eea9c6232c49cc4583d7c5c13bbbc0f.exe
"C:\Users\Admin\AppData\Local\Temp\ecc6b2506aeaac13da0562a6a5d35c802eea9c6232c49cc4583d7c5c13bbbc0f.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/4420-0-0x000000007488E000-0x000000007488F000-memory.dmp
memory/4420-1-0x0000000000220000-0x00000000002A6000-memory.dmp
memory/4420-2-0x0000000005CB0000-0x0000000006256000-memory.dmp
memory/4420-3-0x00000000055D0000-0x0000000005662000-memory.dmp
memory/4420-4-0x00000000057A0000-0x000000000583C000-memory.dmp
memory/4420-5-0x0000000074880000-0x0000000075031000-memory.dmp
memory/4420-7-0x0000000074880000-0x0000000075031000-memory.dmp