Analysis
-
max time kernel
85s -
max time network
78s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
13-10-2024 10:13
General
-
Target
Infected.exe
-
Size
63KB
-
MD5
e95d140257dd0e6c7e7b0f188a101390
-
SHA1
71448e9aedaf259af742f28dfc7cc8e77d687310
-
SHA256
ec0d9955fc12a8b1d4779e83cd6e33eb243052059c071def28038e491155e229
-
SHA512
14c551c4a6a64331657e3b9ff542e2b25367628b5d31821610b53db2a0cd0add51aaf5abd90969fe61ca4233278f9b3b8876a1a3a4b0443f498230942448e93d
-
SSDEEP
768:PHMvlKazXYN78NwC8A+XuqazcBRL5JTk1+T4KSBGHmDbD/ph0oXZfdYHaUTSusdP:EtTXA9dSJYUbdh9Z1YN2usdpqKmY7
Malware Config
Extracted
asyncrat
Default
Pizd11337-26540.portmap.host:26540
-
delay
1
-
install
true
-
install_file
FileSVC.exe
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Async RAT payload 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Infected.exe"C:\Users\Admin\AppData\Local\Temp\Infected.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "FileSVC" /tr '"C:\Users\Admin\AppData\Roaming\FileSVC.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "FileSVC" /tr '"C:\Users\Admin\AppData\Roaming\FileSVC.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6CE3.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\FileSVC.exe"C:\Users\Admin\AppData\Roaming\FileSVC.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151B
MD5103f6fa9735348dc38120fff7a343311
SHA1448b642a656d8a6bdaad7a62a00682dc96c14c86
SHA256e84b80c2153840ce3e46041cf1b3c1ffdc8ff4c1c678bdac6454e17dafa92c69
SHA512cb282bec1ca52b449d78c816b404f79079bc2db71547bfe3ded2ec7dc8dd7d9374dd43e28187779b9ec828693fabbfae27d6a0d5695ebcfe9c9fdc73345a4981
-
Filesize
63KB
MD5e95d140257dd0e6c7e7b0f188a101390
SHA171448e9aedaf259af742f28dfc7cc8e77d687310
SHA256ec0d9955fc12a8b1d4779e83cd6e33eb243052059c071def28038e491155e229
SHA51214c551c4a6a64331657e3b9ff542e2b25367628b5d31821610b53db2a0cd0add51aaf5abd90969fe61ca4233278f9b3b8876a1a3a4b0443f498230942448e93d
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB