Overview

overview

10

Static

static

10

d995f4f7da...bN.exe

windows7-x64

10

d995f4f7da...bN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-10-2024 15:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31bN.exe

  • Size

    4.0MB

  • MD5

    0bca1c34f121425ad181097f4401aa00

  • SHA1

    b2450a936001d83c5029df4933b26d9b1732fc9c

  • SHA256

    d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31b

  • SHA512

    86b9beb0001553f9b898bc9ba130e39949642ae3d027b7fefc6f3252002ab62679de4f6eb70d00555b43f8131b3480821b3fc182f374fc53a479117140407340

  • SSDEEP

    12288:jiG3ngP7iw2yTRruvLG2b2iGDMiGDiLuL:X3gTqURCqlDIDe

Score
10/10
asyncratdefaultdiscoveryrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

154.216.17.155:8808

154.216.17.155:7707
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    45

  • install

    true

  • install_file

    vscr.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31bN.exe
    "C:\Users\Admin\AppData\Local\Temp\d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31bN.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "vscr" /tr '"C:\Users\Admin\AppData\Roaming\vscr.exe"' & exit
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:576
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "vscr" /tr '"C:\Users\Admin\AppData\Roaming\vscr.exe"'
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1796
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1A83.tmp.bat""
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2332
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:1964
      • C:\Users\Admin\AppData\Roaming\vscr.exe
        "C:\Users\Admin\AppData\Roaming\vscr.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2896

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp1A83.tmp.bat
    Filesize

    148B

    MD5

    2c0e09eac64ad505d709a81e028b2be4

    SHA1

    3dca06653c8c4d74d39867ac49d7d231f38b218f

    SHA256

    884150467bd18d3518d175c759c7f3261aa3f2eb33092c5f1a29a1bc320c04a5

    SHA512

    d925a9d9e748a7bb8ce4ac1ad6d12260aba16f504528b786264a755114ba91139d4361e4c71be02dd21ddabeb6442deef276995c780883c8ade58dfe35a67f95

    Download Submit

  • \Users\Admin\AppData\Roaming\vscr.exe
    Filesize

    4.0MB

    MD5

    0bca1c34f121425ad181097f4401aa00

    SHA1

    b2450a936001d83c5029df4933b26d9b1732fc9c

    SHA256

    d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31b

    SHA512

    86b9beb0001553f9b898bc9ba130e39949642ae3d027b7fefc6f3252002ab62679de4f6eb70d00555b43f8131b3480821b3fc182f374fc53a479117140407340

    Download Submit

  • memory/2724-0-0x0000000073F4E000-0x0000000073F4F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2724-1-0x0000000001050000-0x0000000001062000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2724-2-0x0000000073F4E000-0x0000000073F4F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2724-3-0x0000000073F40000-0x000000007462E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2724-13-0x0000000073F40000-0x000000007462E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2896-17-0x00000000001D0000-0x00000000001E2000-memory.dmp

    Filesize

    72KB

    Download