Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-06-2024 22:54

General

  • Target

    44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe

  • Size

    47KB

  • MD5

    4a56c6e517888a3524999e18e6d7740b

  • SHA1

    3781d9472264ca9af471cdc80ffc87c34134c112

  • SHA256

    44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706

  • SHA512

    0b7c6c0f82b19b20632d8a8d8c93a772f175acc0bf1c9ff1a57f5e731f739806b98663f824a7ec07843cad2fe69376bba57967587a86e5dfe4dc890df334ba4e

  • SSDEEP

    768:Euzkx3FTkYwt9y4gWUOlKnjamo2q8ayby6FXbWPI8rQ9Hyfw+0bF3HFZBzUccTUW:EuS3FTHHe2Gy+6Z78rQ9HGWbF3T9U5+Q

Score
10/10

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

Mutex

0UfuvIZfaBv8

Attributes
  • delay

    3

  • install

    true

  • install_file

    api.exe

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/aDAYnLv4

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Async RAT payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 27 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe
    "C:\Users\Admin\AppData\Local\Temp\44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2260
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "api" /tr '"C:\Users\Admin\AppData\Roaming\api.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3104
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "api" /tr '"C:\Users\Admin\AppData\Roaming\api.exe"'
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4548
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2546.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4176
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:2228
      • C:\Users\Admin\AppData\Roaming\api.exe
        "C:\Users\Admin\AppData\Roaming\api.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:5324
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:5296

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp2546.tmp.bat

      Filesize

      147B

      MD5

      732e4829c0f2509cacdbdd434abff078

      SHA1

      fccb5a7777f592773ae64857409566aafe18be53

      SHA256

      5c85d36e4ec8640dc8d624bfdce1c6a12ddd8fe453a3904941321349063aaadc

      SHA512

      c04bd9d4930edab6c9800f18642c9401eb105f2080076208b7da1f67139fd15c37d1494047bbebc813d517db4ba32e9e3c0f522cfffc5fd2b58ff641745b1b4e

    • C:\Users\Admin\AppData\Roaming\api.exe

      Filesize

      47KB

      MD5

      4a56c6e517888a3524999e18e6d7740b

      SHA1

      3781d9472264ca9af471cdc80ffc87c34134c112

      SHA256

      44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706

      SHA512

      0b7c6c0f82b19b20632d8a8d8c93a772f175acc0bf1c9ff1a57f5e731f739806b98663f824a7ec07843cad2fe69376bba57967587a86e5dfe4dc890df334ba4e

    • memory/2260-0-0x0000000074DAE000-0x0000000074DAF000-memory.dmp

      Filesize

      4KB

    • memory/2260-1-0x0000000000E90000-0x0000000000EA2000-memory.dmp

      Filesize

      72KB

    • memory/2260-2-0x0000000074DA0000-0x0000000075550000-memory.dmp

      Filesize

      7.7MB

    • memory/2260-3-0x0000000005960000-0x00000000059FC000-memory.dmp

      Filesize

      624KB

    • memory/2260-9-0x0000000074DA0000-0x0000000075550000-memory.dmp

      Filesize

      7.7MB

    • memory/5324-13-0x0000000074D00000-0x00000000754B0000-memory.dmp

      Filesize

      7.7MB

    • memory/5324-14-0x0000000074D00000-0x00000000754B0000-memory.dmp

      Filesize

      7.7MB