Analysis Overview
SHA256
e8594a68a1b573d8cec8418bb410be8d8e3d3cec1017130640dd5aab770059ad
Threat Level: Known bad
The file b7f0467ea05cdb14eea0f67fd09e8bc6.bin was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Async RAT payload
Executes dropped EXE
UPX packed file
Checks computer location settings
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-03 03:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-03 03:25
Reported
2024-08-03 03:28
Platform
win7-20240704-en
Max time kernel
33s
Max time network
147s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SET-UP.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SETUGP.EXE.EXE | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2276 set thread context of 2928 | N/A | C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\SET-UP.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\SETUGP.EXE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SETUGP.EXE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe
"C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '' -Value '"C:\Users\Admin\AppData\Roaming\.exe"' -PropertyType 'String'
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Roaming\SET-UP.EXE
"C:\Users\Admin\AppData\Roaming\SET-UP.EXE"
C:\Users\Admin\AppData\Roaming\SETUGP.EXE.EXE
"C:\Users\Admin\AppData\Roaming\SETUGP.EXE.EXE"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | parsher.ddnsfree.com | udp |
| TR | 5.252.74.251:8808 | parsher.ddnsfree.com | tcp |
Files
memory/2276-0-0x0000000073EDE000-0x0000000073EDF000-memory.dmp
memory/2276-1-0x0000000000A40000-0x0000000000A5A000-memory.dmp
memory/2276-2-0x0000000073ED0000-0x00000000745BE000-memory.dmp
memory/2276-3-0x0000000073EDE000-0x0000000073EDF000-memory.dmp
memory/2276-4-0x0000000073ED0000-0x00000000745BE000-memory.dmp
memory/2276-5-0x0000000000450000-0x0000000000468000-memory.dmp
memory/2928-14-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2928-12-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2928-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2928-18-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2928-17-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2928-16-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2928-8-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2928-7-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2928-9-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2276-22-0x0000000073ED0000-0x00000000745BE000-memory.dmp
C:\Users\Admin\AppData\Roaming\SET-UP.EXE
| MD5 | 098062dde5741b0b42e73060a1b95db0 |
| SHA1 | 803e9fd3f740cfebb06333a7e056e6b6dbdc10d1 |
| SHA256 | 63e2cb9d0bfc79659e24fb3b119b249691dc79c5da7c42f7e79a9dcdd8ccd611 |
| SHA512 | 69a18ec7f7fc8e49c2ef9f0ffc62020bd603f6874ecf6cc2c16351aaddad4a3ef37a7575c6f44065aa1cf606d2ad85275a003105cbe4527d9a9b035d6bfd678a |
C:\Users\Admin\AppData\Roaming\SETUGP.EXE.EXE
| MD5 | 09bc60ead95b7741e734741f8fb8a11a |
| SHA1 | 92a543c0091d6284022faa50314bb0bac7b58489 |
| SHA256 | a069e19a43489131c37a99f2c8eae8c53397b5e6a8e4f8b80fbec5c93556c419 |
| SHA512 | 625a3ea7b9cd4b95ee6325bcaefb94f7af8c7f1af2c1a2e41f782c6e35a41aea4ee50a09b5a6a7d8b47e3c6ad2a37d90f60a7ec4ac75e331e61f5fe829b7d991 |
memory/2928-34-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2640-36-0x00000000003A0000-0x00000000003B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab6106.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-03 03:25
Reported
2024-08-03 03:28
Platform
win10v2004-20240802-en
Max time kernel
94s
Max time network
148s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SET-UP.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SETUGP.EXE.EXE | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5116 set thread context of 5068 | N/A | C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\SET-UP.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\SETUGP.EXE.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SETUGP.EXE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe
"C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '' -Value '"C:\Users\Admin\AppData\Roaming\.exe"' -PropertyType 'String'
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Roaming\SET-UP.EXE
"C:\Users\Admin\AppData\Roaming\SET-UP.EXE"
C:\Users\Admin\AppData\Roaming\SETUGP.EXE.EXE
"C:\Users\Admin\AppData\Roaming\SETUGP.EXE.EXE"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | parsher.ddnsfree.com | udp |
| TR | 5.252.74.251:8808 | parsher.ddnsfree.com | tcp |
| US | 8.8.8.8:53 | 251.74.252.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/5116-0-0x000000007471E000-0x000000007471F000-memory.dmp
memory/5116-1-0x0000000000D70000-0x0000000000D8A000-memory.dmp
memory/5116-2-0x0000000005DE0000-0x0000000006384000-memory.dmp
memory/5116-3-0x0000000005760000-0x00000000057F2000-memory.dmp
memory/5116-4-0x0000000005940000-0x000000000594A000-memory.dmp
memory/5116-5-0x0000000074710000-0x0000000074EC0000-memory.dmp
memory/5116-6-0x00000000059D0000-0x0000000005A46000-memory.dmp
memory/5116-7-0x000000007471E000-0x000000007471F000-memory.dmp
memory/5116-8-0x0000000074710000-0x0000000074EC0000-memory.dmp
memory/5116-9-0x0000000005A50000-0x0000000005A68000-memory.dmp
memory/5116-10-0x0000000005AA0000-0x0000000005ABE000-memory.dmp
memory/5068-12-0x0000000000400000-0x000000000042E000-memory.dmp
memory/5068-16-0x0000000000400000-0x000000000042E000-memory.dmp
memory/5068-15-0x0000000000400000-0x000000000042E000-memory.dmp
memory/1496-20-0x0000000074710000-0x0000000074EC0000-memory.dmp
memory/5116-19-0x0000000074710000-0x0000000074EC0000-memory.dmp
memory/1496-18-0x0000000002840000-0x0000000002876000-memory.dmp
memory/1496-22-0x00000000053A0000-0x00000000059C8000-memory.dmp
memory/1496-21-0x0000000074710000-0x0000000074EC0000-memory.dmp
memory/1496-24-0x0000000005160000-0x0000000005182000-memory.dmp
memory/5068-27-0x0000000000400000-0x000000000042E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l13ylhot.mgl.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1496-26-0x0000000005AB0000-0x0000000005B16000-memory.dmp
memory/1496-34-0x0000000005B20000-0x0000000005E74000-memory.dmp
memory/1496-25-0x00000000059D0000-0x0000000005A36000-memory.dmp
C:\Users\Admin\AppData\Roaming\SET-UP.EXE
| MD5 | 098062dde5741b0b42e73060a1b95db0 |
| SHA1 | 803e9fd3f740cfebb06333a7e056e6b6dbdc10d1 |
| SHA256 | 63e2cb9d0bfc79659e24fb3b119b249691dc79c5da7c42f7e79a9dcdd8ccd611 |
| SHA512 | 69a18ec7f7fc8e49c2ef9f0ffc62020bd603f6874ecf6cc2c16351aaddad4a3ef37a7575c6f44065aa1cf606d2ad85275a003105cbe4527d9a9b035d6bfd678a |
memory/1496-23-0x0000000074710000-0x0000000074EC0000-memory.dmp
C:\Users\Admin\AppData\Roaming\SETUGP.EXE.EXE
| MD5 | 09bc60ead95b7741e734741f8fb8a11a |
| SHA1 | 92a543c0091d6284022faa50314bb0bac7b58489 |
| SHA256 | a069e19a43489131c37a99f2c8eae8c53397b5e6a8e4f8b80fbec5c93556c419 |
| SHA512 | 625a3ea7b9cd4b95ee6325bcaefb94f7af8c7f1af2c1a2e41f782c6e35a41aea4ee50a09b5a6a7d8b47e3c6ad2a37d90f60a7ec4ac75e331e61f5fe829b7d991 |
memory/1496-58-0x00000000061E0000-0x000000000622C000-memory.dmp
memory/5068-59-0x0000000000400000-0x000000000042E000-memory.dmp
memory/1496-57-0x00000000061B0000-0x00000000061CE000-memory.dmp
memory/2156-56-0x0000000000F20000-0x0000000000F32000-memory.dmp
memory/1496-62-0x00000000066F0000-0x0000000006712000-memory.dmp
memory/1496-61-0x00000000066A0000-0x00000000066BA000-memory.dmp
memory/1496-60-0x0000000006720000-0x00000000067B6000-memory.dmp
memory/1496-64-0x0000000074710000-0x0000000074EC0000-memory.dmp
memory/2156-65-0x0000000005B40000-0x0000000005BDC000-memory.dmp