Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11-08-2024 06:58
Behavioral task
behavioral1
Sample
2498d43b33fdf705d23a044d0704271b.exe
Resource
win7-20240729-en
General
-
Target
2498d43b33fdf705d23a044d0704271b.exe
-
Size
47KB
-
MD5
2498d43b33fdf705d23a044d0704271b
-
SHA1
79b2ee6e706d561533936cde87a46830fbfeec9b
-
SHA256
d1ba8885bb27b8b53e8754181b474f47d0afc57ce406ca4c18edf111cbb63226
-
SHA512
79b0ff8be1762e31c20ae5b5440958bbe652b11f219a5542d9cd2fa789c90dd5898b14be2245ae03f49c5ada54db0547df5eacc7d143f9c0ea608fb4600b4690
-
SSDEEP
768:xuI9dTsErkZTWU/lPhmo2qbfhtE7Tb7PPIOinDpm0bR4bvYvrQWrfdxF+XaBDZMx:xuI9dTsXB2VTb7IOindpbR4DYTQEdxF6
Malware Config
Extracted
asyncrat
0.5.8
Default
thing-wine.gl.at.ply.gg:55280
EFhpy3TPM7sR
-
delay
3
-
install
true
-
install_file
Ass.exe
-
install_folder
%Temp%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x0009000000023620-11.dat family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation 2498d43b33fdf705d23a044d0704271b.exe -
Executes dropped EXE 1 IoCs
pid Process 532 Ass.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2498d43b33fdf705d23a044d0704271b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ass.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3008 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1496 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 1828 2498d43b33fdf705d23a044d0704271b.exe 1828 2498d43b33fdf705d23a044d0704271b.exe 1828 2498d43b33fdf705d23a044d0704271b.exe 1828 2498d43b33fdf705d23a044d0704271b.exe 1828 2498d43b33fdf705d23a044d0704271b.exe 1828 2498d43b33fdf705d23a044d0704271b.exe 1828 2498d43b33fdf705d23a044d0704271b.exe 1828 2498d43b33fdf705d23a044d0704271b.exe 1828 2498d43b33fdf705d23a044d0704271b.exe 1828 2498d43b33fdf705d23a044d0704271b.exe 1828 2498d43b33fdf705d23a044d0704271b.exe 1828 2498d43b33fdf705d23a044d0704271b.exe 1828 2498d43b33fdf705d23a044d0704271b.exe 1828 2498d43b33fdf705d23a044d0704271b.exe 1828 2498d43b33fdf705d23a044d0704271b.exe 1828 2498d43b33fdf705d23a044d0704271b.exe 1828 2498d43b33fdf705d23a044d0704271b.exe 1828 2498d43b33fdf705d23a044d0704271b.exe 1828 2498d43b33fdf705d23a044d0704271b.exe 1828 2498d43b33fdf705d23a044d0704271b.exe 1828 2498d43b33fdf705d23a044d0704271b.exe 1828 2498d43b33fdf705d23a044d0704271b.exe 1828 2498d43b33fdf705d23a044d0704271b.exe 1828 2498d43b33fdf705d23a044d0704271b.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1828 2498d43b33fdf705d23a044d0704271b.exe Token: SeDebugPrivilege 532 Ass.exe Token: SeDebugPrivilege 532 Ass.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1828 wrote to memory of 4824 1828 2498d43b33fdf705d23a044d0704271b.exe 98 PID 1828 wrote to memory of 4824 1828 2498d43b33fdf705d23a044d0704271b.exe 98 PID 1828 wrote to memory of 4824 1828 2498d43b33fdf705d23a044d0704271b.exe 98 PID 1828 wrote to memory of 1108 1828 2498d43b33fdf705d23a044d0704271b.exe 100 PID 1828 wrote to memory of 1108 1828 2498d43b33fdf705d23a044d0704271b.exe 100 PID 1828 wrote to memory of 1108 1828 2498d43b33fdf705d23a044d0704271b.exe 100 PID 4824 wrote to memory of 1496 4824 cmd.exe 103 PID 4824 wrote to memory of 1496 4824 cmd.exe 103 PID 4824 wrote to memory of 1496 4824 cmd.exe 103 PID 1108 wrote to memory of 3008 1108 cmd.exe 104 PID 1108 wrote to memory of 3008 1108 cmd.exe 104 PID 1108 wrote to memory of 3008 1108 cmd.exe 104 PID 1108 wrote to memory of 532 1108 cmd.exe 106 PID 1108 wrote to memory of 532 1108 cmd.exe 106 PID 1108 wrote to memory of 532 1108 cmd.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\2498d43b33fdf705d23a044d0704271b.exe"C:\Users\Admin\AppData\Local\Temp\2498d43b33fdf705d23a044d0704271b.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Ass" /tr '"C:\Users\Admin\AppData\Local\Temp\Ass.exe"' & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Ass" /tr '"C:\Users\Admin\AppData\Local\Temp\Ass.exe"'3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1496
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp52FD.tmp.bat""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3008
-
-
C:\Users\Admin\AppData\Local\Temp\Ass.exe"C:\Users\Admin\AppData\Local\Temp\Ass.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:532
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4408,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=4352 /prefetch:81⤵PID:2356
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
47KB
MD52498d43b33fdf705d23a044d0704271b
SHA179b2ee6e706d561533936cde87a46830fbfeec9b
SHA256d1ba8885bb27b8b53e8754181b474f47d0afc57ce406ca4c18edf111cbb63226
SHA51279b0ff8be1762e31c20ae5b5440958bbe652b11f219a5542d9cd2fa789c90dd5898b14be2245ae03f49c5ada54db0547df5eacc7d143f9c0ea608fb4600b4690
-
Filesize
150B
MD5c30ae608a0266510dfd8d549d0aee2e7
SHA118d8a450b653d78ee15d578ef30154698675187d
SHA2564cbc0c112d293059205656edd49ae031a54b31b4f5e3f03c4a3d7ecc0bee0b58
SHA5123c808ad3c5cffde6f6d07cd6422485fba502260002c78c385341f240200384dd72c7941725f203d3e456b82797240208769bbe3235d79e2537d86ccd5a4d0c4e