Analysis
-
max time kernel
106s -
max time network
117s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
30-09-2024 18:53
General
-
Target
2fed2e02c8e90c9265319f5d7bd573f68fd0b1f21c1ed97fa1695b51e45c2636N.exe
-
Size
63KB
-
MD5
9a553625e7bb4c85c51ef01ed4caf1e0
-
SHA1
3292c82975cea5051dd3f0e371491fade23d5fa4
-
SHA256
2fed2e02c8e90c9265319f5d7bd573f68fd0b1f21c1ed97fa1695b51e45c2636
-
SHA512
1eb2feff3b8443b499d6e19a02d958ffceea7ef70e283f40fdf812fddfcf633c3ab2b0576cec3a451135f529f807b14d7b2f10a7a42840e4e78d4b237e7223d7
-
SSDEEP
768:Cuw6LVcsTPq781wC8A+XjuazcBRL5JTk1+T4KSBGHmDbD/ph0oX52lSuEdpqKYhg:LeQPckdSJYUbdh91uEdpqKmY7
Malware Config
Extracted
asyncrat
Default
electronics-fear.gl.at.ply.gg:56358
-
delay
1
-
install
true
-
install_file
dllhost.exe
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Async RAT payload 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2fed2e02c8e90c9265319f5d7bd573f68fd0b1f21c1ed97fa1695b51e45c2636N.exe"C:\Users\Admin\AppData\Local\Temp\2fed2e02c8e90c9265319f5d7bd573f68fd0b1f21c1ed97fa1695b51e45c2636N.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "dllhost" /tr '"C:\Users\Admin\AppData\Roaming\dllhost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "dllhost" /tr '"C:\Users\Admin\AppData\Roaming\dllhost.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1C7C.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\dllhost.exe"C:\Users\Admin\AppData\Roaming\dllhost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151B
MD584dc42f987963d290bdab43a5dfee9b7
SHA1a447d330c59c126ef26b1a173017cb7290cad5ec
SHA256b367013b52859d1c776ebc9419bcc0533f02610f8460b31ec50ce07f09385e84
SHA512db663d1fa25f9c74ecec57efb037500d97862fa34267c58b198a4cf4383b445b433be0d6959869381b9ed306e4373684460c572783f89874504b6c8f68cfb1db
-
Filesize
63KB
MD59a553625e7bb4c85c51ef01ed4caf1e0
SHA13292c82975cea5051dd3f0e371491fade23d5fa4
SHA2562fed2e02c8e90c9265319f5d7bd573f68fd0b1f21c1ed97fa1695b51e45c2636
SHA5121eb2feff3b8443b499d6e19a02d958ffceea7ef70e283f40fdf812fddfcf633c3ab2b0576cec3a451135f529f807b14d7b2f10a7a42840e4e78d4b237e7223d7
-
Filesize
8KB
-
Filesize
88KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB