Overview

overview

10

Static

static

10

System.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    28s
  • max time network
    28s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-07-2024 22:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    System.exe

  • Size

    47KB

  • MD5

    b54a96fc6a2c782fe559ab2a5a6c926f

  • SHA1

    48ba8ab74fe7e669ef28304852728466b92998c3

  • SHA256

    e6d47f48a0ce335565ab3f98b7fcea9b3078e0c8a100f9b85f5c1dd8e5c61647

  • SHA512

    67a3c71c9ddb6eab42086f5881a2473832762f742cfe5f465a719d4cf69334629ff81797a5a438e74f12abbfd7850c15621919ac7babf3d7b3a357ca86c7531f

  • SSDEEP

    768:8uMBi+TDlxOZvWUjwF8ONmo2qztSZ716XtFOtmY8/LQfPImB1sgV0b66OMUEjKK+:8uMB1TDlssF72B71SO8K4mBGVb66ujak

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

newstartagain.servequake.com:6606

newstartagain.servequake.com:7707

newstartagain.servequake.com:8808

newstartagain50.duckdns.org:6606

newstartagain50.duckdns.org:7707

newstartagain50.duckdns.org:8808
Mutex

Fm255Mv55doc

Attributes
  • delay

    3

  • install

    true

  • install_file

    System.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 45 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 36 IoCs
  • Suspicious use of SendNotifyMessage 36 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\System.exe
    "C:\Users\Admin\AppData\Local\Temp\System.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3388
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "System" /tr '"C:\Users\Admin\AppData\Roaming\System.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:736
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "System" /tr '"C:\Users\Admin\AppData\Roaming\System.exe"'
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1224
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD179.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4504
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:3276
      • C:\Users\Admin\AppData\Roaming\System.exe
        "C:\Users\Admin\AppData\Roaming\System.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4316
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3572
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:800

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.exe.log
      Filesize

      522B

      MD5

      acc9090417037dfa2a55b46ed86e32b8

      SHA1

      53fa6fb25fb3e88c24d2027aca6ae492b2800a4d

      SHA256

      2412679218bb0a7d05ceee32869bbb223619bde9966c4c460a68304a3367724b

      SHA512

      d51f7085ec147c708f446b9fb6923cd2fb64596d354ed929e125b30ace57c8cb3217589447a36960e5d3aea87a4e48aaa82c7509eced6d6c2cecd71fcfe3697b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpD179.tmp.bat
      Filesize

      150B

      MD5

      32602092c66ec1d07b5fbd121f03161b

      SHA1

      dc1321c4d135f1964f2d465bb2184923c4fdb115

      SHA256

      035932a982a01a8bb6badfce363130ae65ff661deb40ca8fd11039419b707680

      SHA512

      f40319875dc1477b4e757f2fd84c4e4af930360d3a31534629a2b05d6a65c2ed8baf549e293134d6b11de011e326c6ba9e721e12e9ed9bec0ae402eb994657c7

      Download Submit

    • C:\Users\Admin\AppData\Roaming\System.exe
      Filesize

      47KB

      MD5

      b54a96fc6a2c782fe559ab2a5a6c926f

      SHA1

      48ba8ab74fe7e669ef28304852728466b92998c3

      SHA256

      e6d47f48a0ce335565ab3f98b7fcea9b3078e0c8a100f9b85f5c1dd8e5c61647

      SHA512

      67a3c71c9ddb6eab42086f5881a2473832762f742cfe5f465a719d4cf69334629ff81797a5a438e74f12abbfd7850c15621919ac7babf3d7b3a357ca86c7531f

      Download Submit

    • memory/3388-0-0x00000000744AE000-0x00000000744AF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3388-1-0x00000000008E0000-0x00000000008F2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3388-2-0x00000000744A0000-0x0000000074C50000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3388-3-0x00000000053B0000-0x000000000544C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3388-8-0x00000000744A0000-0x0000000074C50000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3572-14-0x0000020C39D00000-0x0000020C39D01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3572-12-0x0000020C39D00000-0x0000020C39D01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3572-15-0x0000020C39D00000-0x0000020C39D01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3572-22-0x0000020C39D00000-0x0000020C39D01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3572-26-0x0000020C39D00000-0x0000020C39D01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3572-25-0x0000020C39D00000-0x0000020C39D01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3572-24-0x0000020C39D00000-0x0000020C39D01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3572-23-0x0000020C39D00000-0x0000020C39D01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3572-21-0x0000020C39D00000-0x0000020C39D01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3572-20-0x0000020C39D00000-0x0000020C39D01000-memory.dmp

      Filesize

      4KB

      Download