Overview

overview

10

Static

static

10

1e6725d654...0N.exe

windows7-x64

10

1e6725d654...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-07-2024 00:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1e6725d654ad07c4b624189f4ad3f940N.exe

  • Size

    63KB

  • MD5

    1e6725d654ad07c4b624189f4ad3f940

  • SHA1

    729dcee88e1c74c2fa4508ff5d97774daf555b30

  • SHA256

    be964bd01ae7ce65229159b675bf64c3e5fe02ad2034b7d9904b905fd51903ac

  • SHA512

    8fad99354fee9e201a847bd96a175561f12a1792c873afaa464991caea6591ecae24abb93349d1369f4bea60b389016d3ce4a8014b58caf8e330da9f71d54d35

  • SSDEEP

    768:ijSu/n3jzh78J4C8A+XTSazcBRL5JTk1+T4KSBGHmDbD/ph0oXIT/gdMcSugdpqM:UrzV4dSJYUbdh9OmiugdpqKmY7

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

complete-veterans.gl.at.ply.gg:6374

complete-veterans.gl.at.ply.gg:32986
Attributes
  • delay

    1

  • install

    true

  • install_file

    nvidiaapp.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e6725d654ad07c4b624189f4ad3f940N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e6725d654ad07c4b624189f4ad3f940N.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1540
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "nvidiaapp" /tr '"C:\Users\Admin\AppData\Roaming\nvidiaapp.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2508
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "nvidiaapp" /tr '"C:\Users\Admin\AppData\Roaming\nvidiaapp.exe"'
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3944
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDD7F.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3212
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:1980
      • C:\Users\Admin\AppData\Roaming\nvidiaapp.exe
        "C:\Users\Admin\AppData\Roaming\nvidiaapp.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2656

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpDD7F.tmp.bat
    Filesize

    153B

    MD5

    36a2891a0e1ea28533917771a25a066d

    SHA1

    a40b2db34eb15db02aa6497cb4bea180415c9fb6

    SHA256

    a2bfa4cd105f70e1c97b6ed9c1bdf797297660bd128fa5c23b8300b69d1c7f41

    SHA512

    d290d59cb8397e7a60391d924b89486bb94915969eb8e8b3566c5308942871804cc72699cfd868f646db54e751cdef48a20f6353eb634874a14404938f31c82d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\nvidiaapp.exe
    Filesize

    63KB

    MD5

    1e6725d654ad07c4b624189f4ad3f940

    SHA1

    729dcee88e1c74c2fa4508ff5d97774daf555b30

    SHA256

    be964bd01ae7ce65229159b675bf64c3e5fe02ad2034b7d9904b905fd51903ac

    SHA512

    8fad99354fee9e201a847bd96a175561f12a1792c873afaa464991caea6591ecae24abb93349d1369f4bea60b389016d3ce4a8014b58caf8e330da9f71d54d35

    Download Submit

  • memory/1540-0-0x0000000000E20000-0x0000000000E36000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1540-1-0x00007FF9BF273000-0x00007FF9BF275000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1540-2-0x00007FF9BF270000-0x00007FF9BFD31000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1540-7-0x00007FF9BF270000-0x00007FF9BFD31000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1540-8-0x00007FF9BF270000-0x00007FF9BFD31000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1540-13-0x00007FF9BF270000-0x00007FF9BFD31000-memory.dmp

    Filesize

    10.8MB

    Download