Overview

overview

10

Static

static

10

fdc933b64d...b7.exe

windows7-x64

10

fdc933b64d...b7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    18-06-2024 17:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe

  • Size

    405KB

  • MD5

    c4e10100c5cf7bec2d9d0a1d7203ddb2

  • SHA1

    24a6ecd52fb2165b8563a2853898316851638871

  • SHA256

    fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7

  • SHA512

    ff6bd9bdcb95641c5e19aeef99d9cdddb33b5b309ec358a1a50ba00d2cea9a3fa22a0239b4e09d4a8904d4b7f470bbc621d5e0d60331bc5800709d308faf3202

  • SSDEEP

    6144:0NYzj2jBoO33tq6qbXaYBc1g5aN9KBBBBBBByygHG/bZbYdNpmIU:eYzAq81g5aN+BoKD

Score
10/10
asyncratexecutionpersistencerat

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe
    "C:\Users\Admin\AppData\Local\Temp\fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe"
    1⤵
    • Adds Run key to start application
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:836
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2752
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2644
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2652
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2620
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2992
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:564
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1636

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Cab8133.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    81ec9057223b610190f3431b4afd87e6

    SHA1

    c2cb781c0611d05bdf1ded03f4202d7de50e331d

    SHA256

    b230d68cdc94c7537514660c20d96bb4056483d316c70622d3b6ae137a4f598d

    SHA512

    d6ef72c8822ee67e447cd07eae342030fbcf778ebc051311af1c9f1efbbce4b8274e7e00fac0d9db9d25617438134b5a2323d037739faa8fc68b252090e0cf0d

    Download Submit
  • \??\PIPE\srvsvc
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • memory/564-48-0x00000000022A0000-0x00000000022A8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/836-2-0x000007FEF5E20000-0x000007FEF680C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/836-1-0x0000000001390000-0x00000000013FC000-memory.dmp
    Filesize

    432KB

    Download
  • memory/836-0-0x000007FEF5E23000-0x000007FEF5E24000-memory.dmp
    Filesize

    4KB

    Download
  • memory/836-57-0x000007FEF5E23000-0x000007FEF5E24000-memory.dmp
    Filesize

    4KB

    Download
  • memory/836-58-0x000007FEF5E20000-0x000007FEF680C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/1636-55-0x000000001B2D0000-0x000000001B5B2000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/1636-56-0x0000000001F50000-0x0000000001F58000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2752-18-0x0000000001FD0000-0x0000000001FD8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2752-17-0x000000001B3E0000-0x000000001B6C2000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2992-24-0x000000001B370000-0x000000001B652000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2992-25-0x0000000001E60000-0x0000000001E68000-memory.dmp
    Filesize

    32KB

    Download