Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
02-08-2024 15:03
General
-
Target
ae36b5486b5f95cb451985cf270963956822bbfaded42c35da3abced9bff2f3d.exe
-
Size
63KB
-
MD5
ce0eb5168feda8b72aa9cbfe311378e0
-
SHA1
18248cf6a415bc816b0a983b3dd74da7a9ee9023
-
SHA256
ae36b5486b5f95cb451985cf270963956822bbfaded42c35da3abced9bff2f3d
-
SHA512
5a2fa589276afcac414ebb0424f1a56bdeb28cd8999f8902c81083961eecfd7b13639df67f52375c32fc7b5e616724baa79b722508414db5e7d12e1af4268013
-
SSDEEP
768:iK7epXkjhxfm785YC8A+Xz2peyr61urX1+T4uoSBGHmDbDTph0oXI9tBE9SuQdph:NDhxf8Qn0tYUbJh94ZuQdpqKmY7
Malware Config
Extracted
asyncrat
Default
and-statements.gl.at.ply.gg:43442
-
delay
1
-
install
true
-
install_file
test.exe
-
install_folder
%Temp%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Async RAT payload 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae36b5486b5f95cb451985cf270963956822bbfaded42c35da3abced9bff2f3d.exe"C:\Users\Admin\AppData\Local\Temp\ae36b5486b5f95cb451985cf270963956822bbfaded42c35da3abced9bff2f3d.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "test" /tr '"C:\Users\Admin\AppData\Local\Temp\test.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "test" /tr '"C:\Users\Admin\AppData\Local\Temp\test.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp95AB.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63KB
MD5ce0eb5168feda8b72aa9cbfe311378e0
SHA118248cf6a415bc816b0a983b3dd74da7a9ee9023
SHA256ae36b5486b5f95cb451985cf270963956822bbfaded42c35da3abced9bff2f3d
SHA5125a2fa589276afcac414ebb0424f1a56bdeb28cd8999f8902c81083961eecfd7b13639df67f52375c32fc7b5e616724baa79b722508414db5e7d12e1af4268013
-
Filesize
151B
MD5c2e7a1549937aa2dd330daca45441672
SHA121ac108ff04171c0ffa87fbf3d4956fe200ab824
SHA256a17b5c0b39b98244c9175ca8fd96ed3687e9ad222fb8beea7a650ca1a8cde7cf
SHA51281f9feca5a864321d657cf3b6d0634cbc81689737e0169c0f88b59332fb2ed4b98c1793b7f14769818b3c260f91d7f95e97f9a854b0fa5e4255fbe654604bf45
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB