Overview

overview

10

Static

static

1

2024-08-06...ar.exe

windows7-x64

10

2024-08-06...ar.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    06-08-2024 00:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-06_8ca8d1fe960a2b10d28ba017a8e71e10_hiddentear.exe

  • Size

    592KB

  • MD5

    8ca8d1fe960a2b10d28ba017a8e71e10

  • SHA1

    2157e3dff5041988706756723655d5501ae8148f

  • SHA256

    566faf9961e590ce146c85c70fc08191682a20166d852ace3a269c418135cfb4

  • SHA512

    475ce76b2ed0ca3d2284fb9e3cc4ae4aad0b7e9eba21bf615dd1f23bf6d3d150e472dee430884d2243e6b02509c46b2c5c796122aba076f828015c050df6eccd

  • SSDEEP

    12288:qpFbY22u8RFARyGfQ3MWTZfV/hlBg1ddAAZkR:qpxY2CkyGob9/lkAp

Score
10/10
asyncratdefaultdiscoveryexecutionrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

5.252.165.55:1987

Mutex

AsyncMutex_6SI2OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    NOTES.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-06_8ca8d1fe960a2b10d28ba017a8e71e10_hiddentear.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-06_8ca8d1fe960a2b10d28ba017a8e71e10_hiddentear.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:836
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2024-08-06_8ca8d1fe960a2b10d28ba017a8e71e10_hiddentear.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3004
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DRcaHBxZZHGD.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1164
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DRcaHBxZZHGD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEA6E.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2808
    • C:\Users\Admin\AppData\Local\Temp\2024-08-06_8ca8d1fe960a2b10d28ba017a8e71e10_hiddentear.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-08-06_8ca8d1fe960a2b10d28ba017a8e71e10_hiddentear.exe"
      2⤵
        PID:2860
      • C:\Users\Admin\AppData\Local\Temp\2024-08-06_8ca8d1fe960a2b10d28ba017a8e71e10_hiddentear.exe
        "C:\Users\Admin\AppData\Local\Temp\2024-08-06_8ca8d1fe960a2b10d28ba017a8e71e10_hiddentear.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2628
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NOTES" /tr '"C:\Users\Admin\AppData\Roaming\NOTES.exe"' & exit
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1476
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /f /sc onlogon /rl highest /tn "NOTES" /tr '"C:\Users\Admin\AppData\Roaming\NOTES.exe"'
            4⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:1032
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF97C.tmp.bat""
          3⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:292
          • C:\Windows\SysWOW64\timeout.exe
            timeout 3
            4⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:1728
          • C:\Users\Admin\AppData\Roaming\NOTES.exe
            "C:\Users\Admin\AppData\Roaming\NOTES.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1680
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NOTES.exe"
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1996
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DRcaHBxZZHGD.exe"
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1328
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DRcaHBxZZHGD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3968.tmp"
              5⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:1764
            • C:\Users\Admin\AppData\Roaming\NOTES.exe
              "C:\Users\Admin\AppData\Roaming\NOTES.exe"
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:2120

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpEA6E.tmp
      Filesize

      1KB

      MD5

      09e4a0daf0abfc9b9e253eb90a1deaff

      SHA1

      b6c32e9840160b4ee26413b426ed9c4216ac6570

      SHA256

      a452e3c918d5a5a37940c08074fc07f42c26e097a5c0718fac1440537f4607d0

      SHA512

      14bcc098412e6b8a8689d656bb80e0e74f863d70e9435ee1f6dd148c68d4004f105f8b6a50b1d55671f1e2f45973d61d7f50f9046fef86b30f5e0fd9db1f8436

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpF97C.tmp.bat
      Filesize

      149B

      MD5

      b8a65aaa6b54319fdf33653a5d570acb

      SHA1

      2ffb5a138adef0f47b8aa887bf910447df9119a6

      SHA256

      b4ec3cf68ba3a6d110a01107d750f30adda8f191924342c11c5cb0f0ddddeb7e

      SHA512

      cb1a243b2108ea34717bf40ccc4091a089496d7803c2250f57cdabc57fdab763c5aafd4bd8125a971b1715563d50b7020b4f94f06bdea5203ac20cd3e896b505

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      a30bd07836b0304c7b5d4269314b2437

      SHA1

      7468a7ff0470d2355edcc615bf79a975562fcf9d

      SHA256

      63d7fafcd8e4d273fab8cc713d6a2dc1c246d72b71c6199dcede90018b68a4af

      SHA512

      3163acaad62f812c5b4353f879b05e7ac3a5e22c830bc0f14e7d6759c6ddab493732ba67af6e2f2c2b91bdc545e04b9f0f66e60c246f41788cbf77329b9a86cf

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      5f288584521773f560507d1ae77c7753

      SHA1

      6df4b47562d64f0781c0d032ec3bcdd9aa02e92f

      SHA256

      0f8712770abc0ec9b6d5c0ad95dfb3d8c5bcacfccb3c4526b00ac8c98f254833

      SHA512

      d31bdb4f085990b6e3095f90847094a45934892a9dd0db23759a12beb1954d7549e6d9e251fe719aa8c2f93755a3108233a49f08507d5bc09a9db4f6fded6765

      Download Submit

    • \Users\Admin\AppData\Roaming\NOTES.exe
      Filesize

      592KB

      MD5

      8ca8d1fe960a2b10d28ba017a8e71e10

      SHA1

      2157e3dff5041988706756723655d5501ae8148f

      SHA256

      566faf9961e590ce146c85c70fc08191682a20166d852ace3a269c418135cfb4

      SHA512

      475ce76b2ed0ca3d2284fb9e3cc4ae4aad0b7e9eba21bf615dd1f23bf6d3d150e472dee430884d2243e6b02509c46b2c5c796122aba076f828015c050df6eccd

      Download Submit

    • memory/836-6-0x00000000058A0000-0x00000000058F4000-memory.dmp

      Filesize

      336KB

      Download

    • memory/836-3-0x00000000004E0000-0x00000000004F8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/836-5-0x0000000000520000-0x0000000000536000-memory.dmp

      Filesize

      88KB

      Download

    • memory/836-4-0x0000000000510000-0x000000000051E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/836-0-0x00000000742DE000-0x00000000742DF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/836-1-0x0000000000DB0000-0x0000000000E46000-memory.dmp

      Filesize

      600KB

      Download

    • memory/836-2-0x00000000742D0000-0x00000000749BE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/836-32-0x00000000742D0000-0x00000000749BE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1680-47-0x0000000000A10000-0x0000000000A26000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1680-46-0x00000000012B0000-0x0000000001346000-memory.dmp

      Filesize

      600KB

      Download

    • memory/2120-68-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2120-71-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2120-73-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2628-29-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2628-21-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2628-23-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2628-25-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2628-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2628-28-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2628-31-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2628-19-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download