Overview

overview

10

Static

static

10

729d6539f4...30.exe

windows7-x64

10

729d6539f4...30.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-07-2024 23:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    729d6539f4eae0ad9178d7a60b3d478780d8b68bde520d59311e87a4c5f7dc30.exe

  • Size

    63KB

  • MD5

    0ac4039b1060355d3408ad727a6127be

  • SHA1

    a2cad20ee53c6fb731b9052bc7a9d1745f0ee1a8

  • SHA256

    729d6539f4eae0ad9178d7a60b3d478780d8b68bde520d59311e87a4c5f7dc30

  • SHA512

    cf9ce5f07d862438d11ed6a13730be7a90dd525fc0331b3532f3a757801ecbc5adb020f9882108e8f80c2ae0c087cd52d8aaff19114e133c5c6919b67358da54

  • SSDEEP

    768:muY6LVcsTPq781wC8A+Xju8Z4gdKmDrRHsL1+T4tSNGHmDbDdph0oXGkLnTSuIdP:HeQPc/ymDrRH8iUUbXh9/2uIdpqKmY7

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

192.168.1.108:2024

Attributes
  • delay

    1

  • install

    true

  • install_file

    OperaGx.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\729d6539f4eae0ad9178d7a60b3d478780d8b68bde520d59311e87a4c5f7dc30.exe
    "C:\Users\Admin\AppData\Local\Temp\729d6539f4eae0ad9178d7a60b3d478780d8b68bde520d59311e87a4c5f7dc30.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4364
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "OperaGx" /tr '"C:\Users\Admin\AppData\Roaming\OperaGx.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2364
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "OperaGx" /tr '"C:\Users\Admin\AppData\Roaming\OperaGx.exe"'
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3472
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE5EB.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3660
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:4020
      • C:\Users\Admin\AppData\Roaming\OperaGx.exe
        "C:\Users\Admin\AppData\Roaming\OperaGx.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2128

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpE5EB.tmp.bat
    Filesize

    151B

    MD5

    1d0c667039e4e4ddbc143c72878bbd40

    SHA1

    97b2ca89cbdc2b47e0d8b33f2f0d0f8fc3952996

    SHA256

    9606b01b346e75e6ca60362864492a9ceb56457f6b0758a87c5299f05ddfbf01

    SHA512

    c538d757a47b807504bd7bc1b1deb04e7b440d5f961cabbf015d2946c4f820f1b265b035853eb80a121bfdd47c4d93f7ebbbfd6f34fb6aed79d3b47bcc4f03aa

    Download Submit

  • C:\Users\Admin\AppData\Roaming\OperaGx.exe
    Filesize

    63KB

    MD5

    0ac4039b1060355d3408ad727a6127be

    SHA1

    a2cad20ee53c6fb731b9052bc7a9d1745f0ee1a8

    SHA256

    729d6539f4eae0ad9178d7a60b3d478780d8b68bde520d59311e87a4c5f7dc30

    SHA512

    cf9ce5f07d862438d11ed6a13730be7a90dd525fc0331b3532f3a757801ecbc5adb020f9882108e8f80c2ae0c087cd52d8aaff19114e133c5c6919b67358da54

    Download Submit

  • memory/4364-0-0x0000000000060000-0x0000000000076000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4364-1-0x00007FFC92123000-0x00007FFC92125000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4364-2-0x00007FFC92120000-0x00007FFC92BE1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4364-7-0x00007FFC92120000-0x00007FFC92BE1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4364-8-0x00007FFC92120000-0x00007FFC92BE1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4364-13-0x00007FFC92120000-0x00007FFC92BE1000-memory.dmp

    Filesize

    10.8MB

    Download