Analysis Overview
SHA256
10fe9e0b3b861a06727addb3e0291727bdd8cd91bebbed4b3d6bc901aa15dde1
Threat Level: Known bad
The file async2.exe was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-17 08:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-17 08:56
Reported
2024-06-17 08:59
Platform
win7-20240508-en
Max time kernel
144s
Max time network
146s
Command Line
Signatures
AsyncRat
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Zcsbaibfhun.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LicGen.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\async2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\async2.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Duyiyilycdc = "C:\\Users\\Admin\\AppData\\Roaming\\Duyiyilycdc.exe" | C:\Users\Admin\AppData\Local\Temp\Zcsbaibfhun.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2252 set thread context of 3176 | N/A | C:\Users\Admin\AppData\Local\Temp\Zcsbaibfhun.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Zcsbaibfhun.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Zcsbaibfhun.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\async2.exe
"C:\Users\Admin\AppData\Local\Temp\async2.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAYQB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAdgB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAcwB0ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHUAZABuACMAPgA="
C:\Users\Admin\AppData\Local\Temp\Zcsbaibfhun.exe
"C:\Users\Admin\AppData\Local\Temp\Zcsbaibfhun.exe"
C:\Users\Admin\AppData\Local\Temp\LicGen.exe
"C:\Users\Admin\AppData\Local\Temp\LicGen.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 95.211.208.153:6606 | tcp | |
| NL | 95.211.208.153:6606 | tcp | |
| NL | 95.211.208.153:6606 | tcp | |
| US | 8.8.8.8:53 | 5512.sytes.net | udp |
| NL | 95.211.208.153:6606 | tcp | |
| US | 8.8.8.8:53 | 5512.sytes.net | udp |
Files
\Users\Admin\AppData\Local\Temp\Zcsbaibfhun.exe
| MD5 | 5870c41c149fdd038336b2a1b2103e2f |
| SHA1 | d3efce3cc94fb928113481aee8d58cdeea24a708 |
| SHA256 | 9b489f300c3797e9d343a47ecd96e83646a61b02c28b5e68071d26a5a666c929 |
| SHA512 | 9fdbc2281e54dc640e8b2598faedabffe70f3fc739d88a603c0d43a8496fc08b07fcebd63fabd11d69c3393edb28eec867ab505a5c694ebe17632d04fe8952a7 |
\Users\Admin\AppData\Local\Temp\LicGen.exe
| MD5 | 63404fb2f5a0d14e7a19fa3e4b8af577 |
| SHA1 | 12d4ecfcfe8f9fa53fbc4f7addb43ab118da8255 |
| SHA256 | d599ed299630b163afb1aa64f6f5bdd92969dd9abfca1e32d1df4a93608fefeb |
| SHA512 | 19aae9580fa9be4c14401f144f04366a1c21cb9c9ae268a4e75f9e0364f49e9e18242ec0f49c7ec349328530b960b3890e1197d417db9986c763e098844e7416 |
memory/1692-12-0x00000000032A0000-0x000000000337D000-memory.dmp
memory/2616-14-0x0000000000400000-0x00000000004DD000-memory.dmp
memory/2252-17-0x00000000000A0000-0x0000000000302000-memory.dmp
memory/2252-18-0x0000000005050000-0x0000000005270000-memory.dmp
memory/2252-19-0x00000000063A0000-0x00000000065C2000-memory.dmp
memory/2252-20-0x00000000063A0000-0x00000000065BC000-memory.dmp
memory/2252-23-0x00000000063A0000-0x00000000065BC000-memory.dmp
memory/2252-29-0x00000000063A0000-0x00000000065BC000-memory.dmp
memory/2252-35-0x00000000063A0000-0x00000000065BC000-memory.dmp
memory/2252-43-0x00000000063A0000-0x00000000065BC000-memory.dmp
memory/2252-49-0x00000000063A0000-0x00000000065BC000-memory.dmp
memory/2252-59-0x00000000063A0000-0x00000000065BC000-memory.dmp
memory/2252-63-0x00000000063A0000-0x00000000065BC000-memory.dmp
memory/2252-65-0x00000000063A0000-0x00000000065BC000-memory.dmp
memory/2252-61-0x00000000063A0000-0x00000000065BC000-memory.dmp
memory/2252-57-0x00000000063A0000-0x00000000065BC000-memory.dmp
memory/2252-55-0x00000000063A0000-0x00000000065BC000-memory.dmp
memory/2252-67-0x00000000063A0000-0x00000000065BC000-memory.dmp
memory/2252-73-0x00000000063A0000-0x00000000065BC000-memory.dmp
memory/2252-75-0x00000000063A0000-0x00000000065BC000-memory.dmp
memory/2252-71-0x00000000063A0000-0x00000000065BC000-memory.dmp
memory/2252-77-0x00000000063A0000-0x00000000065BC000-memory.dmp
memory/2252-69-0x00000000063A0000-0x00000000065BC000-memory.dmp
memory/2252-79-0x00000000063A0000-0x00000000065BC000-memory.dmp
memory/2252-53-0x00000000063A0000-0x00000000065BC000-memory.dmp
memory/2252-51-0x00000000063A0000-0x00000000065BC000-memory.dmp
memory/2252-47-0x00000000063A0000-0x00000000065BC000-memory.dmp
memory/2252-45-0x00000000063A0000-0x00000000065BC000-memory.dmp
memory/2252-83-0x00000000063A0000-0x00000000065BC000-memory.dmp
memory/2252-81-0x00000000063A0000-0x00000000065BC000-memory.dmp
memory/2252-41-0x00000000063A0000-0x00000000065BC000-memory.dmp
memory/2252-39-0x00000000063A0000-0x00000000065BC000-memory.dmp
memory/2252-37-0x00000000063A0000-0x00000000065BC000-memory.dmp
memory/2252-33-0x00000000063A0000-0x00000000065BC000-memory.dmp
memory/2252-31-0x00000000063A0000-0x00000000065BC000-memory.dmp
memory/2252-27-0x00000000063A0000-0x00000000065BC000-memory.dmp
memory/2252-25-0x00000000063A0000-0x00000000065BC000-memory.dmp
memory/2252-21-0x00000000063A0000-0x00000000065BC000-memory.dmp
memory/2252-4907-0x0000000000730000-0x000000000077C000-memory.dmp
memory/2252-4906-0x0000000004830000-0x000000000488C000-memory.dmp
memory/2252-4908-0x0000000004770000-0x00000000047C4000-memory.dmp
memory/3176-4922-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2616-4925-0x0000000000400000-0x00000000004DD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-17 08:56
Reported
2024-06-17 08:59
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
AsyncRat
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\async2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Zcsbaibfhun.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LicGen.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Duyiyilycdc = "C:\\Users\\Admin\\AppData\\Roaming\\Duyiyilycdc.exe" | C:\Users\Admin\AppData\Local\Temp\Zcsbaibfhun.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3056 set thread context of 2912 | N/A | C:\Users\Admin\AppData\Local\Temp\Zcsbaibfhun.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Zcsbaibfhun.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Zcsbaibfhun.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\async2.exe
"C:\Users\Admin\AppData\Local\Temp\async2.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAYQB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAdgB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAcwB0ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHUAZABuACMAPgA="
C:\Users\Admin\AppData\Local\Temp\Zcsbaibfhun.exe
"C:\Users\Admin\AppData\Local\Temp\Zcsbaibfhun.exe"
C:\Users\Admin\AppData\Local\Temp\LicGen.exe
"C:\Users\Admin\AppData\Local\Temp\LicGen.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| NL | 95.211.208.153:7707 | tcp | |
| US | 8.8.8.8:53 | 5512.sytes.net | udp |
| US | 8.8.8.8:53 | 5512.sytes.net | udp |
| US | 8.8.8.8:53 | 5512.sytes.net | udp |
| US | 8.8.8.8:53 | 5512.sytes.net | udp |
| NL | 95.211.208.153:6606 | tcp | |
| US | 8.8.8.8:53 | 5512.sytes.net | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Zcsbaibfhun.exe
| MD5 | 5870c41c149fdd038336b2a1b2103e2f |
| SHA1 | d3efce3cc94fb928113481aee8d58cdeea24a708 |
| SHA256 | 9b489f300c3797e9d343a47ecd96e83646a61b02c28b5e68071d26a5a666c929 |
| SHA512 | 9fdbc2281e54dc640e8b2598faedabffe70f3fc739d88a603c0d43a8496fc08b07fcebd63fabd11d69c3393edb28eec867ab505a5c694ebe17632d04fe8952a7 |
C:\Users\Admin\AppData\Local\Temp\LicGen.exe
| MD5 | 63404fb2f5a0d14e7a19fa3e4b8af577 |
| SHA1 | 12d4ecfcfe8f9fa53fbc4f7addb43ab118da8255 |
| SHA256 | d599ed299630b163afb1aa64f6f5bdd92969dd9abfca1e32d1df4a93608fefeb |
| SHA512 | 19aae9580fa9be4c14401f144f04366a1c21cb9c9ae268a4e75f9e0364f49e9e18242ec0f49c7ec349328530b960b3890e1197d417db9986c763e098844e7416 |
memory/3848-21-0x0000000000400000-0x00000000004DD000-memory.dmp
memory/3056-22-0x000000007406E000-0x000000007406F000-memory.dmp
memory/3056-23-0x0000000000210000-0x0000000000472000-memory.dmp
memory/3812-24-0x00000000049C0000-0x00000000049F6000-memory.dmp
memory/3812-25-0x0000000074060000-0x0000000074810000-memory.dmp
memory/3812-27-0x0000000005140000-0x0000000005768000-memory.dmp
memory/3812-26-0x0000000074060000-0x0000000074810000-memory.dmp
memory/3056-30-0x0000000004D10000-0x0000000004D20000-memory.dmp
memory/3848-29-0x00000000007B0000-0x00000000007B1000-memory.dmp
memory/3056-28-0x0000000004E20000-0x0000000005040000-memory.dmp
memory/3056-31-0x0000000006170000-0x0000000006392000-memory.dmp
memory/3812-32-0x00000000050D0000-0x00000000050F2000-memory.dmp
memory/3812-33-0x00000000058D0000-0x0000000005936000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rbda0lnw.myn.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3056-41-0x00000000064D0000-0x0000000006562000-memory.dmp
memory/3056-35-0x0000000006970000-0x0000000006F14000-memory.dmp
memory/3812-34-0x0000000005940000-0x00000000059A6000-memory.dmp
memory/3812-46-0x0000000005B20000-0x0000000005E74000-memory.dmp
memory/3056-54-0x0000000006170000-0x000000000638C000-memory.dmp
memory/3056-72-0x0000000006170000-0x000000000638C000-memory.dmp
memory/3056-74-0x0000000006170000-0x000000000638C000-memory.dmp
memory/3056-94-0x0000000006170000-0x000000000638C000-memory.dmp
memory/3056-98-0x0000000006170000-0x000000000638C000-memory.dmp
memory/3056-102-0x0000000006170000-0x000000000638C000-memory.dmp
memory/3056-100-0x0000000006170000-0x000000000638C000-memory.dmp
memory/3056-110-0x0000000006170000-0x000000000638C000-memory.dmp
memory/3056-106-0x0000000006170000-0x000000000638C000-memory.dmp
memory/3056-104-0x0000000006170000-0x000000000638C000-memory.dmp
memory/3056-108-0x0000000006170000-0x000000000638C000-memory.dmp
memory/3812-148-0x0000000005F90000-0x0000000005FAE000-memory.dmp
memory/3812-149-0x0000000005FC0000-0x000000000600C000-memory.dmp
memory/3056-96-0x0000000006170000-0x000000000638C000-memory.dmp
memory/3056-88-0x0000000006170000-0x000000000638C000-memory.dmp
memory/3056-86-0x0000000006170000-0x000000000638C000-memory.dmp
memory/3056-84-0x0000000006170000-0x000000000638C000-memory.dmp
memory/3056-92-0x0000000006170000-0x000000000638C000-memory.dmp
memory/3056-90-0x0000000006170000-0x000000000638C000-memory.dmp
memory/3056-78-0x0000000006170000-0x000000000638C000-memory.dmp
memory/3056-76-0x0000000006170000-0x000000000638C000-memory.dmp
memory/3056-68-0x0000000006170000-0x000000000638C000-memory.dmp
memory/3056-82-0x0000000006170000-0x000000000638C000-memory.dmp
memory/3056-80-0x0000000006170000-0x000000000638C000-memory.dmp
memory/3056-66-0x0000000006170000-0x000000000638C000-memory.dmp
memory/3056-64-0x0000000006170000-0x000000000638C000-memory.dmp
memory/3056-70-0x0000000006170000-0x000000000638C000-memory.dmp
memory/3056-60-0x0000000006170000-0x000000000638C000-memory.dmp
memory/3812-516-0x0000000006FB0000-0x0000000007053000-memory.dmp
memory/3812-515-0x0000000006F90000-0x0000000006FAE000-memory.dmp
memory/3812-518-0x00000000072C0000-0x00000000072DA000-memory.dmp
memory/3812-519-0x0000000007330000-0x000000000733A000-memory.dmp
memory/3812-517-0x0000000007900000-0x0000000007F7A000-memory.dmp
memory/3812-520-0x0000000007550000-0x00000000075E6000-memory.dmp
memory/3812-505-0x0000000074940000-0x000000007498C000-memory.dmp
memory/3812-504-0x0000000006530000-0x0000000006562000-memory.dmp
memory/3056-56-0x0000000006170000-0x000000000638C000-memory.dmp
memory/3056-52-0x0000000006170000-0x000000000638C000-memory.dmp
memory/3056-50-0x0000000006170000-0x000000000638C000-memory.dmp
memory/3056-62-0x0000000006170000-0x000000000638C000-memory.dmp
memory/3056-48-0x0000000006170000-0x000000000638C000-memory.dmp
memory/3056-58-0x0000000006170000-0x000000000638C000-memory.dmp
memory/3056-47-0x0000000006170000-0x000000000638C000-memory.dmp
memory/3812-2256-0x0000000004D10000-0x0000000004D21000-memory.dmp
memory/3812-4529-0x0000000007520000-0x000000000752E000-memory.dmp
memory/3812-4786-0x0000000007530000-0x0000000007544000-memory.dmp
memory/3812-4955-0x0000000007610000-0x000000000762A000-memory.dmp
memory/3056-4956-0x00000000066F0000-0x000000000674C000-memory.dmp
memory/3056-4958-0x0000000006750000-0x000000000679C000-memory.dmp
memory/3812-4957-0x0000000007600000-0x0000000007608000-memory.dmp
memory/3812-4961-0x0000000074060000-0x0000000074810000-memory.dmp
memory/3056-4962-0x0000000004DB0000-0x0000000004E04000-memory.dmp
memory/2912-4966-0x0000000000510000-0x0000000000522000-memory.dmp
memory/3848-4970-0x0000000000400000-0x00000000004DD000-memory.dmp