Analysis
-
max time kernel
146s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
15-07-2024 16:14
General
-
Target
zvgfd-main/asjdfg.exe
-
Size
63KB
-
MD5
a74bccdc0abb0d77b4b7af3a31827e17
-
SHA1
ed08f899146994d3e303b193a6a73b1810e4b842
-
SHA256
f3ff97453bf728c77ee76a946a11ab93b1c79a4f742d71fb3c2315e86007355c
-
SHA512
7c79c5b0c52a75db296c23db6c066da28b57f8b8749cc895af1252d9294c26fedb37404ac8f62c8ed3b0cc6e12458c6612bb6e4f78276f3fb118e7459d1c6e90
-
SSDEEP
1536:0YmHssdSJYUbdh98ArnX35kHqu8dpqKmY7:0YVsYYUbdAAjDGz
Malware Config
Extracted
asyncrat
Default
75.24.104.157:3232
-
delay
3
-
install
true
-
install_file
WIndows Security Backup.exe
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Async RAT payload 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\zvgfd-main\asjdfg.exe"C:\Users\Admin\AppData\Local\Temp\zvgfd-main\asjdfg.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WIndows Security Backup" /tr '"C:\Users\Admin\AppData\Roaming\WIndows Security Backup.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "WIndows Security Backup" /tr '"C:\Users\Admin\AppData\Roaming\WIndows Security Backup.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAC2E.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\WIndows Security Backup.exe"C:\Users\Admin\AppData\Roaming\WIndows Security Backup.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
167B
MD535fc85dbfe0692214925afa1713e4f84
SHA1ce9799969c7d4ff75648da03707d449e5f047c65
SHA256cebe969f080c54130360a0f56fa1e4e45b51de62964df38747ddea0b9b0da427
SHA5121e8eec6580d72f81ecfe25421a40944ee29142073807dda9922d6390f437166bf11c6beda281b045e99ddd82a5d7ebb4df7fdc6cc86077af64c6d8566db74794
-
Filesize
63KB
MD5a74bccdc0abb0d77b4b7af3a31827e17
SHA1ed08f899146994d3e303b193a6a73b1810e4b842
SHA256f3ff97453bf728c77ee76a946a11ab93b1c79a4f742d71fb3c2315e86007355c
SHA5127c79c5b0c52a75db296c23db6c066da28b57f8b8749cc895af1252d9294c26fedb37404ac8f62c8ed3b0cc6e12458c6612bb6e4f78276f3fb118e7459d1c6e90
-
Filesize
88KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB