Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 22:54
Behavioral task
behavioral1
Sample
44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe
Resource
win7-20240221-en
General
-
Target
44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe
-
Size
47KB
-
MD5
4a56c6e517888a3524999e18e6d7740b
-
SHA1
3781d9472264ca9af471cdc80ffc87c34134c112
-
SHA256
44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706
-
SHA512
0b7c6c0f82b19b20632d8a8d8c93a772f175acc0bf1c9ff1a57f5e731f739806b98663f824a7ec07843cad2fe69376bba57967587a86e5dfe4dc890df334ba4e
-
SSDEEP
768:Euzkx3FTkYwt9y4gWUOlKnjamo2q8ayby6FXbWPI8rQ9Hyfw+0bF3HFZBzUccTUW:EuS3FTHHe2Gy+6Z78rQ9HGWbF3T9U5+Q
Malware Config
Extracted
asyncrat
0.5.8
Default
0UfuvIZfaBv8
-
delay
3
-
install
true
-
install_file
api.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/aDAYnLv4
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\api.exe family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe -
Executes dropped EXE 1 IoCs
Processes:
api.exepid process 5324 api.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 27 IoCs
Processes:
flow ioc 59 pastebin.com 60 pastebin.com 72 pastebin.com 80 pastebin.com 85 pastebin.com 86 pastebin.com 20 pastebin.com 21 pastebin.com 48 pastebin.com 56 pastebin.com 61 pastebin.com 39 pastebin.com 54 pastebin.com 75 pastebin.com 79 pastebin.com 76 pastebin.com 53 pastebin.com 69 pastebin.com 31 pastebin.com 52 pastebin.com 55 pastebin.com 66 pastebin.com 73 pastebin.com 71 pastebin.com 78 pastebin.com 62 pastebin.com 77 pastebin.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2228 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exepid process 2260 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe 2260 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe 2260 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe 2260 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe 2260 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe 2260 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe 2260 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe 2260 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe 2260 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe 2260 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe 2260 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe 2260 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe 2260 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe 2260 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe 2260 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe 2260 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe 2260 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe 2260 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe 2260 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe 2260 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe 2260 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe 2260 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe 2260 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exeapi.exedescription pid process Token: SeDebugPrivilege 2260 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe Token: SeDebugPrivilege 5324 api.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.execmd.execmd.exedescription pid process target process PID 2260 wrote to memory of 3104 2260 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe cmd.exe PID 2260 wrote to memory of 3104 2260 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe cmd.exe PID 2260 wrote to memory of 3104 2260 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe cmd.exe PID 2260 wrote to memory of 4176 2260 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe cmd.exe PID 2260 wrote to memory of 4176 2260 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe cmd.exe PID 2260 wrote to memory of 4176 2260 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe cmd.exe PID 3104 wrote to memory of 4548 3104 cmd.exe schtasks.exe PID 3104 wrote to memory of 4548 3104 cmd.exe schtasks.exe PID 3104 wrote to memory of 4548 3104 cmd.exe schtasks.exe PID 4176 wrote to memory of 2228 4176 cmd.exe timeout.exe PID 4176 wrote to memory of 2228 4176 cmd.exe timeout.exe PID 4176 wrote to memory of 2228 4176 cmd.exe timeout.exe PID 4176 wrote to memory of 5324 4176 cmd.exe api.exe PID 4176 wrote to memory of 5324 4176 cmd.exe api.exe PID 4176 wrote to memory of 5324 4176 cmd.exe api.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe"C:\Users\Admin\AppData\Local\Temp\44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "api" /tr '"C:\Users\Admin\AppData\Roaming\api.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "api" /tr '"C:\Users\Admin\AppData\Roaming\api.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:4548 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2546.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2228 -
C:\Users\Admin\AppData\Roaming\api.exe"C:\Users\Admin\AppData\Roaming\api.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5324
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:81⤵PID:5296
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147B
MD5732e4829c0f2509cacdbdd434abff078
SHA1fccb5a7777f592773ae64857409566aafe18be53
SHA2565c85d36e4ec8640dc8d624bfdce1c6a12ddd8fe453a3904941321349063aaadc
SHA512c04bd9d4930edab6c9800f18642c9401eb105f2080076208b7da1f67139fd15c37d1494047bbebc813d517db4ba32e9e3c0f522cfffc5fd2b58ff641745b1b4e
-
Filesize
47KB
MD54a56c6e517888a3524999e18e6d7740b
SHA13781d9472264ca9af471cdc80ffc87c34134c112
SHA25644ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706
SHA5120b7c6c0f82b19b20632d8a8d8c93a772f175acc0bf1c9ff1a57f5e731f739806b98663f824a7ec07843cad2fe69376bba57967587a86e5dfe4dc890df334ba4e