Overview

overview

10

Static

static

3

935fa2bdf4...ef.exe

windows7-x64

1

935fa2bdf4...ef.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-06-2024 15:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    935fa2bdf4a8b2b9d71c1e87dfda27ef.exe

  • Size

    1.1MB

  • MD5

    935fa2bdf4a8b2b9d71c1e87dfda27ef

  • SHA1

    468fea59efdd1e52aebd17edd6185d472a311f7e

  • SHA256

    f7d1b2ecb7f47ed1311ed562bd1565f2e849d26e0c076e6ec6125d535bf17c11

  • SHA512

    74434c0a88589083d9087158ec3fb75921e4715bb61654ef4688fe936d3677a3224451be9140087596c01d1ccc6054064791ad2307a84e7b9bf221b36e0def36

  • SSDEEP

    24576:xcvYPuAT6+Feyf8h8zwGhKL8bzh2God0Tae3sHPFMses6n:xZP1VFeyftzdhKLsQdle3svFM

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:7771

127.0.0.1:39377

doffuovouvvufoz97964d-39377.portmap.host:7771

doffuovouvvufoz97964d-39377.portmap.host:39377
Attributes
  • delay

    1

  • install

    true

  • install_file

    lulz.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\935fa2bdf4a8b2b9d71c1e87dfda27ef.exe
    "C:\Users\Admin\AppData\Local\Temp\935fa2bdf4a8b2b9d71c1e87dfda27ef.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1416
    • C:\Users\Admin\AppData\Local\Temp\Infected.exe
      "C:\Users\Admin\AppData\Local\Temp\Infected.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5112
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "lulz" /tr '"C:\Users\Admin\AppData\Roaming\lulz.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3296
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "lulz" /tr '"C:\Users\Admin\AppData\Roaming\lulz.exe"'
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:3328
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5AA3.tmp.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4900
        • C:\Windows\system32\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:3952
        • C:\Users\Admin\AppData\Roaming\lulz.exe
          "C:\Users\Admin\AppData\Roaming\lulz.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3384

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Infected.exe
    Filesize

    64KB

    MD5

    b79066a5172f1508c1b9a8d02e9edd29

    SHA1

    08a74b0096e1df0043246e65bfe5861af4611515

    SHA256

    66eb0f1ec9845025074d4e91f6a9f5a1a91fca45f9a59bbdb5d718ba84948674

    SHA512

    033496e0033a0c359efbf2dbf61fa9c41804c26d3271b34b1b320598d9f3e9ea0b3276715eb99f77e50c62f3561f7fb4ad195f5b37c05430b66d0b6cb0489375

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp5AA3.tmp.bat
    Filesize

    148B

    MD5

    3547ed306326dffc30b03d53b99f3966

    SHA1

    8de52fe225a836c5dcd19292d01dd693b79390dc

    SHA256

    3a318284b7978b3af09f140e6ad7a819f76b6a9eea0fceef2525463dc8d799c9

    SHA512

    d99a291cd4708bc4e7f6200aeff0a141935819628f38249adfa5213ef0ae562f297a702c0ebf7377fb0cc69e52ee1136cb10bec72c08e1470e7bf82aca8dfe9b

    Download Submit
  • memory/1416-7-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/1416-3-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/1416-4-0x000001A9AABF0000-0x000001A9AACBC000-memory.dmp
    Filesize

    816KB

    Download
  • memory/1416-6-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/1416-0-0x00007FFA4C3A3000-0x00007FFA4C3A5000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1416-2-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/1416-1-0x000001A98D740000-0x000001A98D860000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1416-30-0x00007FFA4C3A3000-0x00007FFA4C3A5000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1416-31-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/5112-18-0x0000000000060000-0x0000000000076000-memory.dmp
    Filesize

    88KB

    Download
  • memory/5112-19-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/5112-20-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/5112-25-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp
    Filesize

    10.8MB

    Download