Overview

overview

10

Static

static

10

231.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    599s
  • max time network
    529s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    31-07-2024 15:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    231.exe

  • Size

    63KB

  • MD5

    1b8eea1226cd913da97c0c0b8a806b18

  • SHA1

    4320bde806e4fb5792be6bfb2e0b45ae30033fa0

  • SHA256

    4476d0eb2a47cb9bfe3155abf0a1603de727dd127f4df099b344df56c22c0d67

  • SHA512

    70fca344d74efe3e1bf9268e36bd2aac698e69cde340559f5a0df603bf996d06f6b60920cf02ecf19c8532f6a6d6210a4c9ad54a61ddbf12541ae0cfee3da7f1

  • SSDEEP

    1536:zZgPH9F4s1THE6HTIiTEulumGbb+wAe+EhGG0kpqKmY7:zZgPH9F4sBHLTIiTnGbb+xmuvz

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Version

1.2

Botnet

Default

C2

stores-less.gl.at.ply.gg:45080

Mutex

AtomRatMutex_penka

Attributes
  • delay

    1

  • install

    true

  • install_file

    piskat.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\231.exe
    "C:\Users\Admin\AppData\Local\Temp\231.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2448
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "piskat" /tr '"C:\Users\Admin\AppData\Roaming\piskat.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1372
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "piskat" /tr '"C:\Users\Admin\AppData\Roaming\piskat.exe"'
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4720
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7F13.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4696
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:2380
      • C:\Users\Admin\AppData\Roaming\piskat.exe
        "C:\Users\Admin\AppData\Roaming\piskat.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1756
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "piskat"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1988
          • C:\Windows\system32\schtasks.exe
            schtasks /delete /f /tn "piskat"
            5⤵
              PID:812
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9F05.tmp.bat""
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1420
            • C:\Windows\system32\timeout.exe
              timeout 3
              5⤵
              • Delays execution with timeout.exe
              PID:1800
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:868

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp7F13.tmp.bat
      Filesize

      150B

      MD5

      33f2e682c09506708c90a031a6908fa1

      SHA1

      8816fc2831d8f8543d11d89ce0839df01871041e

      SHA256

      2a83781f3e417f80e0e77d906687572c4adefd25a5732fed9a2918da58f0d404

      SHA512

      22a79bfbe69353810872a7406d7225c89ef0ca7f64d1561f5c35e093983bddb31aaa8aa874c36a2db4ac72116f8d4d40b8655cf8563e10aedde86ee9017a4651

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp9F05.tmp.bat
      Filesize

      155B

      MD5

      b8169c1b7e90d66943021efb945a6be5

      SHA1

      f714ca12e1084eb710199d8181bf4de558488c52

      SHA256

      8d80af3926845bd689d6f3366ae0ea01ef75b012203cd5dff4a3ca8e306eba5f

      SHA512

      286a774971d8f7aa4c9d552cbf2785c5d58d3844f27322a34fdf866d6539963802276fd0c0ed8442953a553ee77d7bd58ad51791052a3261cda7345bc230b466

      Download Submit

    • C:\Users\Admin\AppData\Roaming\piskat.exe
      Filesize

      63KB

      MD5

      1b8eea1226cd913da97c0c0b8a806b18

      SHA1

      4320bde806e4fb5792be6bfb2e0b45ae30033fa0

      SHA256

      4476d0eb2a47cb9bfe3155abf0a1603de727dd127f4df099b344df56c22c0d67

      SHA512

      70fca344d74efe3e1bf9268e36bd2aac698e69cde340559f5a0df603bf996d06f6b60920cf02ecf19c8532f6a6d6210a4c9ad54a61ddbf12541ae0cfee3da7f1

      Download Submit

    • memory/1756-26-0x000001B388A00000-0x000001B388A76000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1756-27-0x000001B386F60000-0x000001B386FC4000-memory.dmp

      Filesize

      400KB

      Download

    • memory/1756-28-0x000001B386FF0000-0x000001B38700E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2448-0-0x0000025A90A80000-0x0000025A90A96000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2448-1-0x00007FFE3CEF3000-0x00007FFE3CEF4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2448-2-0x00007FFE3CEF0000-0x00007FFE3D8DC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2448-3-0x00007FFE3CEF0000-0x00007FFE3D8DC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2448-8-0x00007FFE3CEF0000-0x00007FFE3D8DC000-memory.dmp

      Filesize

      9.9MB

      Download