Analysis Overview
SHA256
9c75c0e33bb81cadd1659deef9302106b7f2358cd8ea613e6e8b76f41e60ba8a
Threat Level: Known bad
The file 76e8d35fe35dce2fb65d0e2fb1be067c.exe was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Asyncrat family
Async RAT payload
Async RAT payload
Checks computer location settings
Executes dropped EXE
Enumerates physical storage devices
Unsigned PE
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-28 11:40
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-28 11:40
Reported
2024-06-28 11:42
Platform
win10v2004-20240508-en
Max time kernel
126s
Max time network
143s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\76e8d35fe35dce2fb65d0e2fb1be067c.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\task.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\76e8d35fe35dce2fb65d0e2fb1be067c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\task.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\task.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\76e8d35fe35dce2fb65d0e2fb1be067c.exe
"C:\Users\Admin\AppData\Local\Temp\76e8d35fe35dce2fb65d0e2fb1be067c.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "task" /tr '"C:\Users\Admin\AppData\Roaming\task.exe"' & exit
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp499C.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "task" /tr '"C:\Users\Admin\AppData\Roaming\task.exe"'
C:\Users\Admin\AppData\Roaming\task.exe
"C:\Users\Admin\AppData\Roaming\task.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| NL | 91.92.246.193:4444 | tcp | |
| NL | 91.92.246.193:4444 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.12.20.2.in-addr.arpa | udp |
| NL | 91.92.246.193:4444 | tcp | |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| NL | 91.92.246.193:4444 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| NL | 91.92.246.193:4444 | tcp | |
| NL | 91.92.246.193:4444 | tcp |
Files
memory/3596-0-0x00007FFF04093000-0x00007FFF04095000-memory.dmp
memory/3596-1-0x0000000000C80000-0x0000000000C98000-memory.dmp
memory/3596-3-0x00007FFF04090000-0x00007FFF04B51000-memory.dmp
memory/3596-9-0x00007FFF04090000-0x00007FFF04B51000-memory.dmp
memory/3596-8-0x00007FFF04090000-0x00007FFF04B51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp499C.tmp.bat
| MD5 | 4bdbf3063ec394cd787f0c52c8e88fce |
| SHA1 | d4ede05dc167b2c6fe70ccad4aab9c494266cd07 |
| SHA256 | 44dcf2e4249b2216ab4fbd9715bf912f87c02f8ca9856bae2f06ca4f2531a4f8 |
| SHA512 | b6423d290f3a98bd61276ec0521716e264878f66e1dbbdf30f237acbd069bcb83451eaa57d17e83fa1c6b544850f29f34498db0231d53aab66eca44ec379f1f5 |
C:\Users\Admin\AppData\Roaming\task.exe
| MD5 | 76e8d35fe35dce2fb65d0e2fb1be067c |
| SHA1 | 543ae7d1f3288b6439f50a7a6c50dacf02d13af4 |
| SHA256 | 9c75c0e33bb81cadd1659deef9302106b7f2358cd8ea613e6e8b76f41e60ba8a |
| SHA512 | d1a406fb8862577e0ba9ed1404b7568fcf519e8a39bc966e9ea58922bb2eb34bdd7275f9f3c6688b77d3604427a21973484d0b15a9cb4c992f61b17a2d775f02 |
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
| MD5 | cf759e4c5f14fe3eec41b87ed756cea8 |
| SHA1 | c27c796bb3c2fac929359563676f4ba1ffada1f5 |
| SHA256 | c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761 |
| SHA512 | c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-28 11:40
Reported
2024-06-28 11:42
Platform
win7-20240221-en
Max time kernel
127s
Max time network
139s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\task.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\76e8d35fe35dce2fb65d0e2fb1be067c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\76e8d35fe35dce2fb65d0e2fb1be067c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\task.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\task.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\task.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\task.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\task.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\task.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\task.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\76e8d35fe35dce2fb65d0e2fb1be067c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\task.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\task.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\76e8d35fe35dce2fb65d0e2fb1be067c.exe
"C:\Users\Admin\AppData\Local\Temp\76e8d35fe35dce2fb65d0e2fb1be067c.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "task" /tr '"C:\Users\Admin\AppData\Roaming\task.exe"' & exit
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1555.tmp.bat""
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "task" /tr '"C:\Users\Admin\AppData\Roaming\task.exe"'
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\task.exe
"C:\Users\Admin\AppData\Roaming\task.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 91.92.246.193:4444 | tcp | |
| NL | 91.92.246.193:4444 | tcp | |
| NL | 91.92.246.193:4444 | tcp | |
| NL | 91.92.246.193:4444 | tcp | |
| NL | 91.92.246.193:4444 | tcp | |
| NL | 91.92.246.193:4444 | tcp |
Files
memory/2976-0-0x000007FEF5BD3000-0x000007FEF5BD4000-memory.dmp
memory/2976-1-0x0000000000AE0000-0x0000000000AF8000-memory.dmp
memory/2976-3-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp1555.tmp.bat
| MD5 | 24dbf479dec5fc54a06ef6e60dbcbd1d |
| SHA1 | 0ba4109fad7a0a413251d47a6b45a3ae46a462d1 |
| SHA256 | 4565f6467a103ea0e76984fb90ca23dd170fdf8b556787f6062848eb20457165 |
| SHA512 | 77a6f121fcfa19075720ac7c382027ddc733abe21507b267dd5519b6d609ac28f8d695afcce285d911147513b2a637d58c0a98015c3eec6f07a944d26e8c3a01 |
memory/2976-12-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp
memory/2976-14-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp
C:\Users\Admin\AppData\Roaming\task.exe
| MD5 | 76e8d35fe35dce2fb65d0e2fb1be067c |
| SHA1 | 543ae7d1f3288b6439f50a7a6c50dacf02d13af4 |
| SHA256 | 9c75c0e33bb81cadd1659deef9302106b7f2358cd8ea613e6e8b76f41e60ba8a |
| SHA512 | d1a406fb8862577e0ba9ed1404b7568fcf519e8a39bc966e9ea58922bb2eb34bdd7275f9f3c6688b77d3604427a21973484d0b15a9cb4c992f61b17a2d775f02 |
memory/2868-18-0x00000000008A0000-0x00000000008B8000-memory.dmp
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
| MD5 | cf759e4c5f14fe3eec41b87ed756cea8 |
| SHA1 | c27c796bb3c2fac929359563676f4ba1ffada1f5 |
| SHA256 | c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761 |
| SHA512 | c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b |