Analysis
-
max time kernel
300s -
max time network
300s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
30-09-2024 05:05
General
-
Target
e4a36be98f730d706d2ca97a5d687329a1cc7d4848daf698b7e21b6b9b577f31.exe
-
Size
3.5MB
-
MD5
b3fd0e1003b1cd38402b6d32829f6135
-
SHA1
c9cedd6322fb83457f56b64b4624b07e2786f702
-
SHA256
e4a36be98f730d706d2ca97a5d687329a1cc7d4848daf698b7e21b6b9b577f31
-
SHA512
04692e0f80a75f78b533677cefe3db6607108abf19963d88e231925cfa13f1ec054811aebe53c82d238e732a999cd8d176107d50cf2ea5694d4177cbfd3b30f1
-
SSDEEP
49152:KXSBgOQSMWnpCkICTugfaU6vTN4Z6WSk7s7jsjS4znnqyIn7TrvU:KygOQSVpC/CHMTWk8zn
Malware Config
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4a36be98f730d706d2ca97a5d687329a1cc7d4848daf698b7e21b6b9b577f31.exe"C:\Users\Admin\AppData\Local\Temp\e4a36be98f730d706d2ca97a5d687329a1cc7d4848daf698b7e21b6b9b577f31.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c ping 127.0.0.1 -n 10 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "neon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\neon.exe"2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 103⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "neon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\neon.exe"3⤵
- Adds Run key to start application
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\neon.exe"C:\Users\Admin\AppData\Local\Temp\neon.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\neon.exe"C:\Users\Admin\AppData\Local\Temp\neon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e555c48cb712a9597ecb55a60135d1f8
SHA12081c72d30c34ec3f61f9944545ecdaae11521f7
SHA256815c80df060afa8acf7640ca011735ef77c66666d03901e04a8767827d5da4e9
SHA51232129b5be15217e5400f1e7536270a703d62db60ebb06396b9d74703e6a0dcd2e78f7f42b2019093be1508a9310912f305b88de274a295c9135a4086cd8c8427
-
Filesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
Filesize
113B
MD509515d8c79dd97b800512319b50e3b61
SHA19f356676a07ed3923f3b3cf69387b5e5c927c7f6
SHA256a9854bbceab163ebfcdba110f5075d717eac418390fa012089b5ab70fb9ebfe8
SHA5129eba1ed32c51d5b8af58fffbd2dc03e672065968520a85d098d9c970bf9fd673d5a9899c6d1a4328e205dbf86c84ff5c06149420adb9038af5f6b479ec8d00de
-
Filesize
116B
MD5911f4096d105745f095b64114f8ce07c
SHA1dc6c3bb403f2b03d4979bc320616d762204a7272
SHA25643e52270be473758d9878ed26a71e865c3ae8161b811f2e7a90c4643da443d98
SHA5120b1357116d173cf416f117ebba92e152578ddfd6889efbe43eb041a2a821ca82e718e7d631e7be7daddf863838a67e38c08eaa77f88405afc30f33a8856df4d0
-
Filesize
104KB
-
Filesize
624KB
-
Filesize
44KB
-
Filesize
504KB
-
Filesize
92KB
-
Filesize
396KB
-
Filesize
696KB
-
Filesize
1.1MB
-
Filesize
40KB
-
Filesize
68KB
-
Filesize
180KB
-
Filesize
616KB
-
Filesize
120KB
-
Filesize
344KB
-
Filesize
68KB
-
Filesize
20.2MB
-
Filesize
1.7MB
-
Filesize
32KB
-
Filesize
2.8MB
-
Filesize
764KB
-
Filesize
1.4MB
-
Filesize
1.6MB
-
Filesize
168KB
-
Filesize
664KB
-
Filesize
1.8MB
-
Filesize
80KB
-
Filesize
632KB
-
Filesize
208KB
-
Filesize
24KB
-
Filesize
104KB
-
Filesize
624KB
-
Filesize
292KB
-
Filesize
148KB
-
Filesize
84KB
-
Filesize
304KB
-
Filesize
1.2MB
-
Filesize
9.9MB
-
Filesize
596KB
-
Filesize
1.3MB
-
Filesize
988KB
-
Filesize
424KB
-
Filesize
1.5MB
-
Filesize
984KB
-
Filesize
1.3MB
-
Filesize
156KB
-
Filesize
3.0MB
-
Filesize
680KB
-
Filesize
356KB
-
Filesize
3.5MB
-
Filesize
628KB
-
Filesize
644KB
-
Filesize
6.9MB
-
Filesize
2.3MB
-
Filesize
324KB
-
Filesize
192KB
-
Filesize
176KB