Overview

overview

10

Static

static

10

919b436618...13.exe

windows7-x64

10

919b436618...13.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    127s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-08-2024 12:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    919b43661894503a00d44ffd1174d613.exe

  • Size

    64KB

  • MD5

    919b43661894503a00d44ffd1174d613

  • SHA1

    c510009fb7bad735e35a10c0ebe925d730ca961f

  • SHA256

    7ce2d225442252064d744be1c38e9c1572dd355bbbaf7fa411ce79e41288dfca

  • SHA512

    5019e86e2c0585aa59d7c14b4a0b03c911440487b9bd843db0a6138861e46274f17d72deea09429b650c5976aa9bf03d7427d65b26cc4b65c0c0bd9f1b19997b

  • SSDEEP

    768:N9aGzWs/9PiPJ5eit9JSTLavfU4OnsD3q66T1+4SCv7mqb2nRpwH1oDjoUhPGnPP:vaW90TekUJyq6OqGbbUwDuGnPpqKmY7

Score
10/10
asyncratdiscoveryexecutionrat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

C2

server.underground-cheat.xyz:4449

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    true

  • install_file

    Host Process for Windows.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

C2

blue.o7lab.me:7777

server.underground-cheat.xyz:7777
Mutex

RPYntXGt1eJi

Attributes
  • delay

    3

  • install

    true

  • install_file

    WinUpdate.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 2 IoCs
    rat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Start PowerShell.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 45 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\919b43661894503a00d44ffd1174d613.exe
    "C:\Users\Admin\AppData\Local\Temp\919b43661894503a00d44ffd1174d613.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4036
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Host Process for Windows" /tr '"C:\Users\Admin\AppData\Roaming\Host Process for Windows.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4400
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "Host Process for Windows" /tr '"C:\Users\Admin\AppData\Roaming\Host Process for Windows.exe"'
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4704
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp758E.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1524
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:4724
      • C:\Users\Admin\AppData\Roaming\Host Process for Windows.exe
        "C:\Users\Admin\AppData\Roaming\Host Process for Windows.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1596
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\$77svchost.exe"' & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4904
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\$77svchost.exe"'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3756
            • C:\Users\Admin\AppData\Local\Temp\$77svchost.exe
              "C:\Users\Admin\AppData\Local\Temp\$77svchost.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1784
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WinUpdate" /tr '"C:\Users\Admin\AppData\Roaming\WinUpdate.exe"' & exit
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:664
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /f /sc onlogon /rl highest /tn "WinUpdate" /tr '"C:\Users\Admin\AppData\Roaming\WinUpdate.exe"'
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:2152
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpADF3.tmp.bat""
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1708
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 3
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Delays execution with timeout.exe
                  PID:2036
                • C:\Users\Admin\AppData\Roaming\WinUpdate.exe
                  "C:\Users\Admin\AppData\Roaming\WinUpdate.exe"
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4024

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\$77svchost.exe
    Filesize

    45KB

    MD5

    a44a767dba207c04c74afae17144f787

    SHA1

    fa14f38216e259be5b181c825719f1c864691a5f

    SHA256

    26eaa5bce06cadc54cb4990fabb1b9150966ef720b07a836ef2bd456360246b2

    SHA512

    7dfd6e182ac9f16b29843cb0eabaa7db02fa3ee59c65c7822d9213859c4a7185d0fdcd1d51747a11b4fdd3a7947ea14fdc7fa583c13b4d3edf50b8d6d3178619

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aqju10ow.j0e.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp758E.tmp.bat
    Filesize

    168B

    MD5

    a1520315f2d9cffa55c23cc44e46f662

    SHA1

    8936acc11c93639eedbf25d6994c29cccde41332

    SHA256

    0fd010db1171270a1fa2305cbf938a312dc8c4b68caa0e22218670a5aeec7bc3

    SHA512

    789854de0630836ed0b0568b767b436c4c4f7d9e13e6f8b1b4ab7aeca92d03f0f758040a33d066b35b87fb00e803aedf79596e813a10256458e52d87bdaa15b4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpADF3.tmp.bat
    Filesize

    153B

    MD5

    8e98d01e440e50d79a048ce6736bb4a4

    SHA1

    a7d6e3d759becf68a25e186cd961a2aa04427855

    SHA256

    3005717d0626935763dc54539893a3f769c93d9acdc36336570ab539659da1dd

    SHA512

    6ed7640f2257d632eb07092c7c08a60594fddce5808026e6fe4a64a1c3635af1686715b774f9e43ab60829c3095dc3dc72ceaad9a8eba4e3c0c495eb298e8573

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Host Process for Windows.exe
    Filesize

    64KB

    MD5

    919b43661894503a00d44ffd1174d613

    SHA1

    c510009fb7bad735e35a10c0ebe925d730ca961f

    SHA256

    7ce2d225442252064d744be1c38e9c1572dd355bbbaf7fa411ce79e41288dfca

    SHA512

    5019e86e2c0585aa59d7c14b4a0b03c911440487b9bd843db0a6138861e46274f17d72deea09429b650c5976aa9bf03d7427d65b26cc4b65c0c0bd9f1b19997b

    Download Submit

  • memory/1596-12-0x000000001B940000-0x000000001B9B6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1596-13-0x0000000002EB0000-0x0000000002EBE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1596-14-0x0000000002EE0000-0x0000000002EFE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1784-31-0x0000000004D90000-0x0000000004E2C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1784-30-0x0000000000510000-0x0000000000522000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3756-16-0x0000013DA9220000-0x0000013DA9242000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4036-0-0x0000000000850000-0x0000000000866000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4036-7-0x00007FFDEB620000-0x00007FFDEC0E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4036-2-0x00007FFDEB620000-0x00007FFDEC0E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4036-1-0x00007FFDEB623000-0x00007FFDEB625000-memory.dmp

    Filesize

    8KB

    Download