Overview

overview

10

Static

static

10

a52ed7cc85...0d.exe

windows7-x64

10

a52ed7cc85...0d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/09/2024, 13:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a52ed7cc857c5a48246c336bd22ac226100a005a8fa1306debe166af6018090d.exe

  • Size

    48KB

  • MD5

    23575c31dfc1d767ffdcb95b286e3722

  • SHA1

    4f45e5054dbae1b7c768d34fe31a4b8c69b87799

  • SHA256

    a52ed7cc857c5a48246c336bd22ac226100a005a8fa1306debe166af6018090d

  • SHA512

    db2cccfa494a8b2d08f520f20ce9d5853fa45d1775d92ea211154fe2dec309f0da0531dbe62d3504e6a2e270d358b5edf8272a11a49b54f6b93c8c278f5bd364

  • SSDEEP

    1536:CN1RxXpwH/XbzY1zkT+aXMouA152k6OsKmVcl:CtPwH/bzm8CkwK8Y

Score
10/10
asyncratnullrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.6A

Botnet

null

C2

62.108.37.42:8808

Mutex

iaqvopecckrrmxlkj

Attributes
  • delay

    5

  • install

    true

  • install_file

    Microsoft Corporation.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\a52ed7cc857c5a48246c336bd22ac226100a005a8fa1306debe166af6018090d.exe
    "C:\Users\Admin\AppData\Local\Temp\a52ed7cc857c5a48246c336bd22ac226100a005a8fa1306debe166af6018090d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1288
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'Microsoft Corporation"' /tr "'C:\Users\Admin\AppData\Roaming\Microsoft Corporation.exe"'
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1052
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE83D.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3184
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:4204
      • C:\Users\Admin\AppData\Roaming\Microsoft Corporation.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft Corporation.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2576

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpE83D.tmp.bat
    Filesize

    165B

    MD5

    bae2ea7fec9ecea6154e4b4b85fcacc5

    SHA1

    7056ea22ea72eec9a0c6754781318252f8aef4f1

    SHA256

    00516451e5768d24d7e8680115c304cbc821ebc5e1e21c0dcc5cd9e455105d29

    SHA512

    d9de3febad18988425d097b0e40467885308100f17a36225940cc95aa0627949e59ee5ef12b98f65822ec2cf6eacd5d487e178cdcfb6f6ba07a89769ede9e5ba

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft Corporation.exe
    Filesize

    47.5MB

    MD5

    bdf98a7f6688a91102f25fc790c8297f

    SHA1

    adc50297449f0eec5bee8ac18e2cb969afdeed04

    SHA256

    04da282f33575b7543546b4aa7111d3e4f7505b83d4c3945deda26af76fa8667

    SHA512

    83496b05c4f681f3637eabe3700118eb5644f8c7c6fea14066a95477172feb100e469c384117f3002a6d37b5db1e9406299b64d3e771133e8b588a465481eb4b

    Download Submit

  • memory/1288-0-0x00007FF9FEBA3000-0x00007FF9FEBA5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1288-1-0x0000000000C60000-0x0000000000C72000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1288-2-0x00007FF9FEBA0000-0x00007FF9FF661000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1288-3-0x00007FF9FEBA3000-0x00007FF9FEBA5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1288-4-0x00007FF9FEBA0000-0x00007FF9FF661000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1288-10-0x00007FF9FEBA0000-0x00007FF9FF661000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2576-14-0x00007FF9FEBA0000-0x00007FF9FF661000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2576-15-0x00007FF9FEBA0000-0x00007FF9FF661000-memory.dmp

    Filesize

    10.8MB

    Download