Overview

overview

10

Static

static

3

3c0d368d28...0N.exe

windows7-x64

10

3c0d368d28...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    115s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-07-2024 18:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3c0d368d28b89e894e6b568435b7e730N.exe

  • Size

    3.0MB

  • MD5

    3c0d368d28b89e894e6b568435b7e730

  • SHA1

    201419762e874bd24bbefd0dc4e896694432f3a0

  • SHA256

    246229260c7e76ec89aac6111b8eff0c843e9e9044c518fe16830ae37ec3c0ce

  • SHA512

    43d875cc04575ca5bd53bf86ce81082ee848be757da5625e844f7335ffcc7808dd1251e60fded9df564be7e9f9bde42b66b6ccde99b6fd4c8cf7550064df6182

  • SSDEEP

    49152:/r2d6pm/od2TOp/N63fNluPsd3Teg47/OhuGzrI1RgapIqYzC6aQD0+WmQXC/z/:6aErT6/N6PsY0zODzrFapfYzk+Wjgz

Score
10/10
asyncratdefaultdefense_evasiondiscoveryevasionrattrojan

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

mcehonline-48304.portmap.io:48304

Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    true

  • install_file

    systems.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c0d368d28b89e894e6b568435b7e730N.exe
    "C:\Users\Admin\AppData\Local\Temp\3c0d368d28b89e894e6b568435b7e730N.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2140
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAdgB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHAAcgBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAawBoACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAcwB5ACMAPgA="
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3556
    • C:\Users\Admin\AppData\Local\Temp\Edius Lisance Activation.exe
      "C:\Users\Admin\AppData\Local\Temp\Edius Lisance Activation.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2368
      • C:\Users\Admin\AppData\Local\Temp\ckz_H0MA\Edius ( N C S ).exe
        "C:\Users\Admin\AppData\Local\Temp\ckz_H0MA\Edius ( N C S ).exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2104
        • C:\Users\Admin\AppData\Local\Temp\ckz_H0MA\Edius ( N C S )-original.exe
          "C:\Users\Admin\AppData\Local\Temp\ckz_H0MA\Edius ( N C S )-original.exe"
          4⤵
          • Executes dropped EXE
          PID:2944
    • C:\Users\Admin\AppData\Local\Temp\edius.exe
      "C:\Users\Admin\AppData\Local\Temp\edius.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:968
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "systems" /tr '"C:\Users\Admin\AppData\Roaming\systems.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1936
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "systems" /tr '"C:\Users\Admin\AppData\Roaming\systems.exe"'
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:316
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD7E1.tmp.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1568
        • C:\Windows\system32\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:4064
        • C:\Users\Admin\AppData\Roaming\systems.exe
          "C:\Users\Admin\AppData\Roaming\systems.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1304

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Edius Lisance Activation.exe
    Filesize

    800KB

    MD5

    a089f33be71d405c7b685959bf8f1ec5

    SHA1

    4f643ec951b8f6d3ef2cf43057f4ab1bcdf3f95f

    SHA256

    b182cff2f31aa116e9842b3eead80550d7192c3feb3e10654a80ea7ce03e8ea6

    SHA512

    3db359840face4c876a8849fe7b19432e246874d307618602360807550515344f9aaa8c99838bb088fcd9e3516957b451301e3db57b6620cd317080e6d6776a8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bhrkinxj.asr.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ckz_H0MA\Edius ( N C S )-original.exe
    Filesize

    389KB

    MD5

    bf08d76373074130cf20e49e44eb953d

    SHA1

    ceb331e5fd002e07b6fc941fe3139cd419d6ffa0

    SHA256

    2cdf94b7b0216a5a83aae835f5b9419e5294853c674483705b83e7373f785f91

    SHA512

    10246ceba7af5ea164d022229c70443eed7f8ca3efbbf9a3b4e1755365a5a27e126dd7d45e82c596072d8c971520abf4c58fe270396f407496841ba888001b68

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ckz_H0MA\Edius ( N C S ).exe
    Filesize

    6KB

    MD5

    9a205daf40416734ec489ca23a9d11c8

    SHA1

    8319c316cafda619192d802163fc25c135633c61

    SHA256

    c17a392df3d8d2a09a8fcd0d14bde2d092b9bfcf9e7159924861eda1cf8257b1

    SHA512

    6f06929c4f73ae505dcaeebbd0163af4b798e5144c5d535e8b42a5d9b40e9707864f3cc0d3d5cb981b6ee163e0b80c7d1253210922b73ce62df4d281fbebfdbf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\edius.exe
    Filesize

    47KB

    MD5

    760c6041134e80eb0a7c9f31ea39391f

    SHA1

    acaaff5eee05faf1842c36048b7fa30351a35ad6

    SHA256

    b584138861ddc6da039cf28f8f16987095ddac24c10e9554a1facd8875436079

    SHA512

    4d7167a19e1a9df47a761023ab71c7339d676d95e3ad9a3f1e5af86e6f522b0629df16e72768dd680313ff12d8ec448ab1f1f603e84b033d27314b5e4d67cfb9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpD7E1.tmp.bat
    Filesize

    151B

    MD5

    85b302fe5d063278fc98ad3825959842

    SHA1

    c8ee6b67d216711b59feb88247f36764a29ec8c1

    SHA256

    faa60ad6c246547f329e1faccbd6973d658da8f2822ecc9ad12d98a41fd0b642

    SHA512

    3d9f87b709615e6ca832d726f22d088e14eb8984bc860767962935f7f0b8f1898c2e1b9748581f1dd4151c9650998a31f5ae044e6fcf37124eee119c32e0fedb

    Download Submit

  • memory/968-27-0x00007FFE28B03000-0x00007FFE28B05000-memory.dmp

    Filesize

    8KB

    Download

  • memory/968-26-0x0000000000D70000-0x0000000000D82000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2104-44-0x0000000000770000-0x0000000000778000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2140-3-0x0000000000400000-0x0000000000A46000-memory.dmp

    Filesize

    6.3MB

    Download

  • memory/2140-0-0x0000000000400000-0x0000000000A46000-memory.dmp

    Filesize

    6.3MB

    Download

  • memory/2140-2-0x0000000000401000-0x00000000004B3000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2140-1-0x00000000774B4000-0x00000000774B6000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2944-61-0x000001D228EE0000-0x000001D228F30000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2944-59-0x000001D2272E0000-0x000001D22734A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/3556-33-0x0000000004B80000-0x0000000004BB6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3556-77-0x00000000070E0000-0x0000000007183000-memory.dmp

    Filesize

    652KB

    Download

  • memory/3556-52-0x0000000005AC0000-0x0000000005B26000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3556-60-0x0000000005C30000-0x0000000005F84000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3556-45-0x0000000005130000-0x0000000005152000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3556-41-0x00000000052B0000-0x00000000058D8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3556-62-0x00000000060D0000-0x00000000060EE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3556-63-0x0000000006180000-0x00000000061CC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3556-65-0x00000000066B0000-0x00000000066E2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/3556-66-0x000000006FF00000-0x000000006FF4C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3556-76-0x00000000070B0000-0x00000000070CE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3556-46-0x0000000005A50000-0x0000000005AB6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3556-28-0x000000007360E000-0x000000007360F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3556-83-0x0000000007A60000-0x00000000080DA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3556-84-0x0000000007420000-0x000000000743A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3556-85-0x0000000007490000-0x000000000749A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3556-86-0x00000000076B0000-0x0000000007746000-memory.dmp

    Filesize

    600KB

    Download

  • memory/3556-87-0x0000000007620000-0x0000000007631000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3556-88-0x0000000007660000-0x000000000766E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3556-89-0x0000000007670000-0x0000000007684000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3556-90-0x0000000007750000-0x000000000776A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3556-91-0x00000000076A0000-0x00000000076A8000-memory.dmp

    Filesize

    32KB

    Download