Overview

overview

10

Static

static

10

02cb8f411c...e0.exe

windows7-x64

10

02cb8f411c...e0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-08-2024 11:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02cb8f411c6ae91fb1f59202d25096bd4e523569cb0d9332f97253ea9518dce0.exe

  • Size

    237KB

  • MD5

    d450127ec998b5e2b630e160d2f7fd37

  • SHA1

    601cb671b90b78470801910d06aa8a1eceb61100

  • SHA256

    02cb8f411c6ae91fb1f59202d25096bd4e523569cb0d9332f97253ea9518dce0

  • SHA512

    fc9fe9b0e04469d48ca27718bf167c96fa659cd059126f0a34a7fba7200cf6f75a38ad0bc6c364c517c9cf02a511c0c47c3e3de02fae9f92def10100b1fb388f

  • SSDEEP

    6144:cJLb1wF9kfK8rpClz0KBb6o589GHWHWujiSPbQ:cJ/gBuj/Ps

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

Attributes
  • delay

    1

  • install

    true

  • install_file

    update.exe

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/m5mgzzdQ

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\02cb8f411c6ae91fb1f59202d25096bd4e523569cb0d9332f97253ea9518dce0.exe
    "C:\Users\Admin\AppData\Local\Temp\02cb8f411c6ae91fb1f59202d25096bd4e523569cb0d9332f97253ea9518dce0.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:728
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "update" /tr '"C:\Users\Admin\AppData\Roaming\update.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "update" /tr '"C:\Users\Admin\AppData\Roaming\update.exe"'
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4184
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA681.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3016
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:3080
      • C:\Users\Admin\AppData\Roaming\update.exe
        "C:\Users\Admin\AppData\Roaming\update.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3552
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "update"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4252
          • C:\Windows\system32\schtasks.exe
            schtasks /delete /f /tn "update"
            5⤵
              PID:4784
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCF46.tmp.bat""
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4844
            • C:\Windows\system32\timeout.exe
              timeout 3
              5⤵
              • Delays execution with timeout.exe
              PID:5108

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpA681.tmp.bat
      Filesize

      150B

      MD5

      84898aa83e42b4a947b2638463ab9171

      SHA1

      f08da5b427606c7ecd8523f3b3bae498bb7d8d0e

      SHA256

      33511be3de3deea586f9fd030b501f75fe4a0929315d5369aa04b77f2c769ea7

      SHA512

      1988824cea06ae07c471046c22c7f1a5ad471caa1b0e9d493bd181a4e383f5071765735f0aa1793d36177ab7148e3111c81fec6507cd843bc5e24a10566ce63a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpCF46.tmp.bat
      Filesize

      155B

      MD5

      b8988ee238f5cbb8461ae89e5435c969

      SHA1

      e1e21f6a05f608617ccca9c85be54d1d48f515a5

      SHA256

      6a4bc1fe33425ea3d19f66b1d614cdea315f998fc3588508d0423a631ecfc67f

      SHA512

      276285976bb56bd139ed075a98f5734c903814e8d55cb432cc6f90cd41e9e699a39a7626d3bf12cb50b30b2b3be8a3517c9613067ad74dbedf1deadfeea44b17

      Download Submit

    • C:\Users\Admin\AppData\Roaming\update.exe
      Filesize

      237KB

      MD5

      d450127ec998b5e2b630e160d2f7fd37

      SHA1

      601cb671b90b78470801910d06aa8a1eceb61100

      SHA256

      02cb8f411c6ae91fb1f59202d25096bd4e523569cb0d9332f97253ea9518dce0

      SHA512

      fc9fe9b0e04469d48ca27718bf167c96fa659cd059126f0a34a7fba7200cf6f75a38ad0bc6c364c517c9cf02a511c0c47c3e3de02fae9f92def10100b1fb388f

      Download Submit

    • memory/728-1-0x00007FFE56B03000-0x00007FFE56B05000-memory.dmp

      Filesize

      8KB

      Download

    • memory/728-0-0x0000000000460000-0x00000000004A2000-memory.dmp

      Filesize

      264KB

      Download

    • memory/728-2-0x00007FFE56B00000-0x00007FFE575C1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/728-7-0x00007FFE56B00000-0x00007FFE575C1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3552-13-0x000000001D5D0000-0x000000001D682000-memory.dmp

      Filesize

      712KB

      Download

    • memory/3552-12-0x000000001D550000-0x000000001D5C6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/3552-14-0x0000000002790000-0x00000000027AE000-memory.dmp

      Filesize

      120KB

      Download