Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\Sysbin.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\Sysbin.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1548 wrote to memory of 1872	N/A	C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe	C:\Windows\SysWOW64\cmd.exe
PID 1548 wrote to memory of 1872	N/A	C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe	C:\Windows\SysWOW64\cmd.exe
PID 1548 wrote to memory of 1872	N/A	C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe	C:\Windows\SysWOW64\cmd.exe
PID 1548 wrote to memory of 1872	N/A	C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe	C:\Windows\SysWOW64\cmd.exe
PID 1548 wrote to memory of 848	N/A	C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe	C:\Windows\SysWOW64\cmd.exe
PID 1548 wrote to memory of 848	N/A	C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe	C:\Windows\SysWOW64\cmd.exe
PID 1548 wrote to memory of 848	N/A	C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe	C:\Windows\SysWOW64\cmd.exe
PID 1548 wrote to memory of 848	N/A	C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe	C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 2656	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1872 wrote to memory of 2656	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1872 wrote to memory of 2656	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1872 wrote to memory of 2656	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe
PID 848 wrote to memory of 2820	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\timeout.exe
PID 848 wrote to memory of 2820	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\timeout.exe
PID 848 wrote to memory of 2820	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\timeout.exe
PID 848 wrote to memory of 2820	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\timeout.exe
PID 848 wrote to memory of 2900	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\Sysbin.exe
PID 848 wrote to memory of 2900	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\Sysbin.exe
PID 848 wrote to memory of 2900	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\Sysbin.exe
PID 848 wrote to memory of 2900	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\Sysbin.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe

"C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Sysbin" /tr '"C:\Users\Admin\AppData\Roaming\Sysbin.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp40F6.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Sysbin" /tr '"C:\Users\Admin\AppData\Roaming\Sysbin.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Sysbin.exe

"C:\Users\Admin\AppData\Roaming\Sysbin.exe"

Network

Country	Destination	Domain	Proto
VN	61.14.233.130:7707		tcp
VN	61.14.233.130:6606		tcp
VN	61.14.233.130:7707		tcp
VN	61.14.233.130:8808		tcp
VN	61.14.233.130:7707		tcp
VN	61.14.233.130:8808		tcp

Files

memory/1548-0-0x00000000744FE000-0x00000000744FF000-memory.dmp

memory/1548-1-0x0000000000EE0000-0x0000000000EF2000-memory.dmp

memory/1548-2-0x00000000744F0000-0x0000000074BDE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp40F6.tmp.bat

MD5	0e4b9cef0b8e3d472b59e513763fe6a2
SHA1	fb69a12aac433e1f1e58da525faad1f14bcbeb45
SHA256	e53ddea238669ef8b009189a405688b1d4d94d674b3bb337442020db6b8ff7e9
SHA512	d65e0bc30d7e11074c1273bc9cf86ed0a72f5eb08bf9ff72469fd7d4116f67541bb5a7e143871718b24111d476342d3787ccd97301096c3eb94f3aecfcf72a5b

memory/1548-11-0x00000000744F0000-0x0000000074BDE000-memory.dmp

\Users\Admin\AppData\Roaming\Sysbin.exe

MD5	36b7614f2f6b0788e6c2be5def44c68f
SHA1	0aca41d981fbc11d8eee8d7c668fc68637b4985c
SHA256	f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263
SHA512	b1243336e444127b0931c9cc5ce7e364540dd1fba1d25e9b7384e6d1d6d68036d7ea46b2c56592c20891d2d085af319286eda4eef57c1056bed97abdcb1d2449

memory/2900-16-0x0000000000A80000-0x0000000000A92000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 14:32

Reported

2024-06-16 14:35

Platform

win10v2004-20240611-en

Max time kernel

141s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Checks computer location settings

Description	Indicator	Process	Target
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\Sysbin.exe	N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Delays execution with timeout.exe

evasion

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\timeout.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\Sysbin.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\Sysbin.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1300 wrote to memory of 3232	N/A	C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe	C:\Windows\SysWOW64\cmd.exe
PID 1300 wrote to memory of 3232	N/A	C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe	C:\Windows\SysWOW64\cmd.exe
PID 1300 wrote to memory of 3232	N/A	C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe	C:\Windows\SysWOW64\cmd.exe
PID 1300 wrote to memory of 4796	N/A	C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe	C:\Windows\SysWOW64\cmd.exe
PID 1300 wrote to memory of 4796	N/A	C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe	C:\Windows\SysWOW64\cmd.exe
PID 1300 wrote to memory of 4796	N/A	C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe	C:\Windows\SysWOW64\cmd.exe
PID 3232 wrote to memory of 3096	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 3096	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 3096	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe
PID 4796 wrote to memory of 448	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\timeout.exe
PID 4796 wrote to memory of 448	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\timeout.exe
PID 4796 wrote to memory of 448	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\timeout.exe
PID 4796 wrote to memory of 2332	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\Sysbin.exe
PID 4796 wrote to memory of 2332	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\Sysbin.exe
PID 4796 wrote to memory of 2332	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\Sysbin.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe

"C:\Users\Admin\AppData\Local\Temp\f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Sysbin" /tr '"C:\Users\Admin\AppData\Roaming\Sysbin.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp688D.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Sysbin" /tr '"C:\Users\Admin\AppData\Roaming\Sysbin.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Sysbin.exe

"C:\Users\Admin\AppData\Roaming\Sysbin.exe"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	g.bing.com	udp
US	204.79.197.237:443	g.bing.com	tcp
NL	23.62.61.194:443	www.bing.com	tcp
US	8.8.8.8:53	71.159.190.20.in-addr.arpa	udp
US	8.8.8.8:53	0.204.248.87.in-addr.arpa	udp
US	8.8.8.8:53	194.61.62.23.in-addr.arpa	udp
US	8.8.8.8:53	57.169.31.20.in-addr.arpa	udp
VN	61.14.233.130:7707		tcp
US	8.8.8.8:53	183.59.114.20.in-addr.arpa	udp
US	8.8.8.8:53	198.187.3.20.in-addr.arpa	udp
US	8.8.8.8:53	92.12.20.2.in-addr.arpa	udp
VN	61.14.233.130:6606		tcp
VN	61.14.233.130:8808		tcp
US	8.8.8.8:53	203.107.17.2.in-addr.arpa	udp
VN	61.14.233.130:8808		tcp
VN	61.14.233.130:7707		tcp
VN	61.14.233.130:8808		tcp

Files

memory/1300-0-0x00000000752EE000-0x00000000752EF000-memory.dmp

memory/1300-1-0x0000000000050000-0x0000000000062000-memory.dmp

memory/1300-2-0x00000000752E0000-0x0000000075A90000-memory.dmp

memory/1300-3-0x0000000004900000-0x000000000499C000-memory.dmp

memory/1300-8-0x00000000752E0000-0x0000000075A90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp688D.tmp.bat

MD5	7e9c6d93ca1bfc9133756d8a42ca6457
SHA1	ea39e80122f8ced0dc8488bbc98694e767aecf5e
SHA256	1ebd94476a89fb1c46bc7b227a18b8bcfe1d12586ba293dbc5d408364076f96d
SHA512	966c36e4652628340547df1933862fcca51c137097d8ebf5123a4fc52f0bdaccb77a8f49fe6fd13668e17d1913ca2a8232d4ff6bcceadf769816dc83d49dea5a

C:\Users\Admin\AppData\Roaming\Sysbin.exe

MD5	36b7614f2f6b0788e6c2be5def44c68f
SHA1	0aca41d981fbc11d8eee8d7c668fc68637b4985c
SHA256	f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263
SHA512	b1243336e444127b0931c9cc5ce7e364540dd1fba1d25e9b7384e6d1d6d68036d7ea46b2c56592c20891d2d085af319286eda4eef57c1056bed97abdcb1d2449

memory/2332-13-0x00000000752E0000-0x0000000075A90000-memory.dmp

memory/2332-14-0x00000000752E0000-0x0000000075A90000-memory.dmp

Sample ID	240616-rwq9cs1ckr
Target	f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263.exe
SHA256	f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263
Tags	asyncrat default rat

Malware Analysis Report

2024-08-06 13:13

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files