Malware Analysis Report

2024-09-22 06:41

Sample ID 240620-rx7yhaseka
Target 0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e
SHA256 0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e
Tags
asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e

Threat Level: Known bad

The file 0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat

AsyncRat

Async RAT payload

Asyncrat family

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-20 14:35

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 14:35

Reported

2024-06-20 14:40

Platform

win7-20240611-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe"

Signatures

AsyncRat

rat asyncrat

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2028 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1644 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1644 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1644 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2648 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2648 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2648 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2648 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe

"C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "%AppData%" /tr '"C:\Users\Admin\AppData\Roaming\%AppData%.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp27BC.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "C:\Users\Admin\AppData\Roaming" /tr '"C:\Users\Admin\AppData\Roaming\C:\Users\Admin\AppData\Roaming.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

Network

N/A

Files

memory/2028-0-0x000000007444E000-0x000000007444F000-memory.dmp

memory/2028-1-0x0000000000EE0000-0x0000000000EF8000-memory.dmp

memory/2028-3-0x0000000074440000-0x0000000074B2E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp27BC.tmp.bat

MD5 75055db7953e645817c6611ca476a115
SHA1 04f62e926da4a830b39b9deaf15b9947ccd98db3
SHA256 b73b773abe3b282019814172e0af98b86d473fc91764e650d07df540002cc032
SHA512 d8712382164fc6cc8d025b4b2f6f812a8a1f60d6f2f374ad6863847d96cbb5c436324c4ee282c13038e841ee9ebcb25a7c5be95962bb877584ac4cc0a17afa44

memory/2028-11-0x0000000074440000-0x0000000074B2E000-memory.dmp

memory/2028-14-0x0000000074440000-0x0000000074B2E000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-20 14:35

Reported

2024-06-20 14:40

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

269s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe"

Signatures

AsyncRat

rat asyncrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1424 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe C:\Windows\SysWOW64\cmd.exe
PID 1424 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe C:\Windows\SysWOW64\cmd.exe
PID 1424 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe C:\Windows\SysWOW64\cmd.exe
PID 1424 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe C:\Windows\SysWOW64\cmd.exe
PID 1424 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe C:\Windows\SysWOW64\cmd.exe
PID 1424 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe C:\Windows\SysWOW64\cmd.exe
PID 3600 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3600 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3600 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3924 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3924 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3924 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe

"C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "%AppData%" /tr '"C:\Users\Admin\AppData\Roaming\%AppData%.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3C8C.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "C:\Users\Admin\AppData\Roaming" /tr '"C:\Users\Admin\AppData\Roaming\C:\Users\Admin\AppData\Roaming.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
NL 23.62.61.152:443 www.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 152.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp

Files

memory/1424-0-0x0000000074A1E000-0x0000000074A1F000-memory.dmp

memory/1424-1-0x00000000003B0000-0x00000000003C8000-memory.dmp

memory/1424-2-0x0000000005530000-0x0000000005AD4000-memory.dmp

memory/1424-4-0x0000000074A10000-0x00000000751C0000-memory.dmp

memory/1424-5-0x0000000074A10000-0x00000000751C0000-memory.dmp

memory/1424-10-0x0000000074A10000-0x00000000751C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3C8C.tmp.bat

MD5 d24668acb90042fe874bce57eabe029a
SHA1 1aa2dca0657c10ebe78908b048625d61ccdbc590
SHA256 5e3d9cc819716d51d9754f2c1655123fea27355f60c378e88101d19154697b57
SHA512 c4f5171ac8dde7889525ddf00daf04a6e326066a65dca191b056fdcf9a8151d261cb4a4916cb191894187ba2f901c0e93ff0160592582a355004c30e0d5ca7cb

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-20 14:35

Reported

2024-06-20 14:40

Platform

win11-20240611-en

Max time kernel

92s

Max time network

190s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe"

Signatures

AsyncRat

rat asyncrat

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1572 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe C:\Windows\SysWOW64\cmd.exe
PID 1572 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe C:\Windows\SysWOW64\cmd.exe
PID 1572 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe C:\Windows\SysWOW64\cmd.exe
PID 1572 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe C:\Windows\SysWOW64\cmd.exe
PID 1572 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe C:\Windows\SysWOW64\cmd.exe
PID 1572 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe C:\Windows\SysWOW64\cmd.exe
PID 3720 wrote to memory of 2372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3720 wrote to memory of 2372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3720 wrote to memory of 2372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3028 wrote to memory of 4624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3028 wrote to memory of 4624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3028 wrote to memory of 4624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe

"C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "%AppData%" /tr '"C:\Users\Admin\AppData\Roaming\%AppData%.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp662C.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "C:\Users\Admin\AppData\Roaming" /tr '"C:\Users\Admin\AppData\Roaming\C:\Users\Admin\AppData\Roaming.exe"'

Network

Country Destination Domain Proto
IE 52.111.236.22:443 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/1572-0-0x0000000074CCE000-0x0000000074CCF000-memory.dmp

memory/1572-1-0x0000000000930000-0x0000000000948000-memory.dmp

memory/1572-2-0x0000000005C10000-0x00000000061B6000-memory.dmp

memory/1572-4-0x0000000074CC0000-0x0000000075471000-memory.dmp

memory/1572-5-0x0000000074CC0000-0x0000000075471000-memory.dmp

memory/1572-10-0x0000000074CC0000-0x0000000075471000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp662C.tmp.bat

MD5 e457833e232f38327ec3e73f6caeb983
SHA1 b90cff5ff4c2a3fa2844ad4edb38d89fd36400b2
SHA256 f972fae449dead26e24e6d2a4c0325020076ce134be21b2df7e1401692861457
SHA512 4cde2feeb14c2985eb5101ff20e5558857e9d7a161306b58f1fb0d71f830a8492165ee013703dd94d331e2961cd33359deba8667095ec196b36e3e30b41accfc

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 14:35

Reported

2024-06-20 14:40

Platform

win10-20240404-en

Max time kernel

208s

Max time network

300s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe"

Signatures

AsyncRat

rat asyncrat

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3796 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe C:\Windows\SysWOW64\cmd.exe
PID 3796 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe C:\Windows\SysWOW64\cmd.exe
PID 3796 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe C:\Windows\SysWOW64\cmd.exe
PID 3796 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe C:\Windows\SysWOW64\cmd.exe
PID 3796 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe C:\Windows\SysWOW64\cmd.exe
PID 3796 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe C:\Windows\SysWOW64\cmd.exe
PID 3800 wrote to memory of 5044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3800 wrote to memory of 5044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3800 wrote to memory of 5044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4244 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4244 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4244 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe

"C:\Users\Admin\AppData\Local\Temp\0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "%AppData%" /tr '"C:\Users\Admin\AppData\Roaming\%AppData%.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6C56.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "C:\Users\Admin\AppData\Roaming" /tr '"C:\Users\Admin\AppData\Roaming\C:\Users\Admin\AppData\Roaming.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/3796-0-0x000000007407E000-0x000000007407F000-memory.dmp

memory/3796-1-0x00000000000D0000-0x00000000000E8000-memory.dmp

memory/3796-2-0x0000000004FF0000-0x00000000054EE000-memory.dmp

memory/3796-4-0x0000000074070000-0x000000007475E000-memory.dmp

memory/3796-5-0x0000000074070000-0x000000007475E000-memory.dmp

memory/3796-10-0x0000000074070000-0x000000007475E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6C56.tmp.bat

MD5 c1559e0301aa09fd329e6896f7730a60
SHA1 1def97c946c99fb1136028678671fd680e953caa
SHA256 53839ee5bf93d3f6e7c8ca57604654ae7869ec2045afc1d44ab6cfbbb34fd7d0
SHA512 efd4b46a923fc3228295c5ca4e258998b8933c0b454b2c468f1929a7998b5e4a4d648ce7affeedce573dad1f3f774b9439f2a39518a6cf8ca4b0fa44da807145