Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-10-2024 02:33

General

  • Target

    931a185152c1d316cd2b65998aee88d4f64f4acbe59df3efabb0ff968fa6c993.exe

  • Size

    1.1MB

  • MD5

    0e43108aac7bb6e9f68d769b746fea16

  • SHA1

    751e7fe585e73d5ab80f5f629c94c170484c12f5

  • SHA256

    931a185152c1d316cd2b65998aee88d4f64f4acbe59df3efabb0ff968fa6c993

  • SHA512

    faca3f1d87a4bdbacc0396544818a27925800b95e298185eb8ae3580d79f02a7eee7f02564181f453bdb56197539a3659526e1f00881ac0779301d7dbdd60c27

  • SSDEEP

    24576:D9e1IHkIpNfvY092Y1f9t2JZVJ+TJV8felYpYtx8zkUa:DUmHpBNv9UJZVJ+TJVuiMa

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Receiving + Grabber v6.0.4

Botnet

NewClient

C2

157.20.182.183:4449

Mutex

fsqshvwapaxdhwtdp

Attributes
  • delay

    1

  • install

    false

  • install_file

    Winup.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 55 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3492
      • C:\Users\Admin\AppData\Local\Temp\931a185152c1d316cd2b65998aee88d4f64f4acbe59df3efabb0ff968fa6c993.exe
        "C:\Users\Admin\AppData\Local\Temp\931a185152c1d316cd2b65998aee88d4f64f4acbe59df3efabb0ff968fa6c993.exe"
        2⤵
        • Checks computer location settings
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3504
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c move Attacked Attacked.bat & Attacked.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2520
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:3980
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "wrsa opssvc"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3640
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:4960
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2012
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c md 347861
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3912
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V "systemadaptermeetingskenneth" Grow
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4544
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c copy /b ..\Officer + ..\Essays + ..\Cool + ..\Prompt + ..\Itunes G
            4⤵
            • System Location Discovery: System Language Discovery
            PID:5100
          • C:\Users\Admin\AppData\Local\Temp\347861\Councils.pif
            Councils.pif G
            4⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:4604
            • C:\Users\Admin\AppData\Local\Temp\347861\RegAsm.exe
              C:\Users\Admin\AppData\Local\Temp\347861\RegAsm.exe
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:3252
          • C:\Windows\SysWOW64\choice.exe
            choice /d y /t 5
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4328
      • C:\Windows\SysWOW64\cmd.exe
        cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduCraft.url" & echo URL="C:\Users\Admin\AppData\Local\EduInno Dynamics\EduCraft.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduCraft.url" & exit
        2⤵
        • Drops startup file
        • System Location Discovery: System Language Discovery
        PID:3988

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\347861\Councils.pif

      Filesize

      872KB

      MD5

      18ce19b57f43ce0a5af149c96aecc685

      SHA1

      1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

      SHA256

      d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

      SHA512

      a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

    • C:\Users\Admin\AppData\Local\Temp\347861\G

      Filesize

      331KB

      MD5

      5a9b52baaf6a9030f3bb5fdc73fdbb97

      SHA1

      8391133bab34d7ec3af23058bad403a404cd9986

      SHA256

      a4fb39190e94406427d266c4f0a7b8a576dea8e6329645706bba403cfcce50a8

      SHA512

      1168f78e3ca07ff74123b8d4dc059f7d5d872bf9e5b7e2728314b44f31058f0d0e4f1487c45fa521a699f8dbeefb43b724f47a040ec46ddf0aa7b1ee1070ab4a

    • C:\Users\Admin\AppData\Local\Temp\347861\RegAsm.exe

      Filesize

      63KB

      MD5

      0d5df43af2916f47d00c1573797c1a13

      SHA1

      230ab5559e806574d26b4c20847c368ed55483b0

      SHA256

      c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

      SHA512

      f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

    • C:\Users\Admin\AppData\Local\Temp\Attacked

      Filesize

      16KB

      MD5

      6ef8c1c2b28c05eaeac6e46b3040e369

      SHA1

      e95b0727b83d7093562ed5605cec43a4ef999d55

      SHA256

      9b49261b378ff83d4deba60b2340d42f374cde941167951600029d9083ba48e7

      SHA512

      9a125ab0f47d9637542d1ec582ede4b0acf547e31756d0989e91fc8b638e37611d8dd6f01c6a11f209ee77a11f2a928163fe7b6a8f28b86d0b79cfe913fa505d

    • C:\Users\Admin\AppData\Local\Temp\Cool

      Filesize

      69KB

      MD5

      ffa1c079c2f4c6fe1748c9705fbc0fda

      SHA1

      f701e6edc65bb7de8158b57861b03014bc1c65b9

      SHA256

      514774d8e62dc37f281992338612463068808ed5a466dc1b0c7c242b31f48389

      SHA512

      babb4b4fee2d4444e96f634c713de43ba0490e759e003497723293b54235fdc06a3fd60dc200bf708ad4fcf397a3e5338ddad6dd8154c9f46f64f6a805d1e800

    • C:\Users\Admin\AppData\Local\Temp\Essays

      Filesize

      69KB

      MD5

      150f4653b13b6c4d0b8b72770c682969

      SHA1

      b62372a844d67e89e7a335bb3791fb7ec4b38321

      SHA256

      36bbde273aee8421edb18b4f2017146118307ba7dd3694b6d55f64bd159c3ded

      SHA512

      ccf3695445a4fde30edbe4210ceb594d1016a3bf154ba43222ce2d42d5e24357a094c0896faad6a933c7047b764345e0748489f7ad1ec9f58e95555dc3153dc5

    • C:\Users\Admin\AppData\Local\Temp\Grow

      Filesize

      2KB

      MD5

      3c9f8ff4a787de0add5ea18b3c90aeec

      SHA1

      906ebcd1a5b5b34169b3312c57b478b7eb2acfa9

      SHA256

      555da9eb7911ddc494fed580e6ea21988b13e917f76206e00707176797db190b

      SHA512

      f321713b684334a6ee674680bda1cb45b82c9a2385ce0257f44823d7acedb9390638dc267dc55fa73647b074ee7d7c062c98284b90d9ae9aad9128bb0a303765

    • C:\Users\Admin\AppData\Local\Temp\Itunes

      Filesize

      29KB

      MD5

      694d11c39dab9971a8e33c9a2fbb8c54

      SHA1

      1ab6a65b43de72bd706c4c2b1baabcc03c2e20f3

      SHA256

      58af08c2703bf98461f3acf686b52d34d7c63e6665982eaee6f2be2f32f3a76a

      SHA512

      ed0789ba83fb053241838abfece5b30389e339d11121e37754a0ca2bb4d8c04152e37b805fc814f17b605e6abed0b4b71b35387d345cac7de93ddba4a213929c

    • C:\Users\Admin\AppData\Local\Temp\Officer

      Filesize

      65KB

      MD5

      b2d7b245eb933bb0a5fe20daa25cbff9

      SHA1

      ad52775da728362183fc18991db143903d1118a9

      SHA256

      94a1ee3ff9882414c621b0bf21b74744bbd69461e55d7a3479c0e75801167aca

      SHA512

      ff51ec8ec382e25e0946281bde452e27d510723b66d378a54623597255f89aee5014c2ee8885c832bb9449e4b3c51565764b80d2b8782fe62fee108f605ea859

    • C:\Users\Admin\AppData\Local\Temp\Prompt

      Filesize

      99KB

      MD5

      e3d1a8c190d473c37be04f3e883c5bd5

      SHA1

      817fffb89d3835977921fa827cf407f901475b6d

      SHA256

      e731b0ed7a9b1ea844b0f7aca3f27982213b6e8a6dc6512c0aaec3b8dece079d

      SHA512

      4d86b387b75792f2168a4d51750ca41a71674e5ec25a7e09826f0b74eeb13e9ffdb49aab632a8aa7e10678494881aa8d39b9e89c988971cd9260e6c06c316360

    • C:\Users\Admin\AppData\Local\Temp\Titled

      Filesize

      870KB

      MD5

      acf1ef48885709dbc83533ee0425c52f

      SHA1

      d0ef7d02f7610a7e0121bc80b828158e18cd2f65

      SHA256

      4f9208638d6a49b70e5192c525792edcdb1bb06ab403cdc5b93a357b5ba3bee2

      SHA512

      2de5ab5f7e71dd12973040ae6f3a53df71fc746ce4874d41fd8123be3fe24c0f9fa8444b07f89b03d4132ac14c40891e3b84885d62278bce62b2b0db0b0cd7bb

    • memory/3252-31-0x0000000000C00000-0x0000000000C18000-memory.dmp

      Filesize

      96KB

    • memory/3252-34-0x0000000005750000-0x0000000005CF4000-memory.dmp

      Filesize

      5.6MB

    • memory/3252-36-0x0000000005540000-0x00000000055D2000-memory.dmp

      Filesize

      584KB

    • memory/3252-37-0x00000000054B0000-0x00000000054BA000-memory.dmp

      Filesize

      40KB