Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 07:21
Static task
static1
Behavioral task
behavioral1
Sample
9D1E589EA8C4B3C59D3FB46AFA940DA5.exe
Resource
win7-20241010-en
General
-
Target
9D1E589EA8C4B3C59D3FB46AFA940DA5.exe
-
Size
238KB
-
MD5
9d1e589ea8c4b3c59d3fb46afa940da5
-
SHA1
817bf841284e0279d15cb27f73a0939344dfb811
-
SHA256
9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed
-
SHA512
a7db38a58cf9580c987fe6c3293dc279a67458850862d86d0cc60fb7c9213bf92311be2a8ac44ae055fd24619df8f76d33f32835a254d386e4e53e2602d63ac2
-
SSDEEP
3072:/Yzwrq5J9SwHMFF9Kw/kxLk42s/8Y31/Yvi9GA54IkMwP5gMTmmsolNIrRuw+mqM:A9zHMFF9KxLp8YFgvwmZrTmDAN
Malware Config
Extracted
asyncrat
0.5.8
Default
54.253.7.109:4447
XqcNee3124zJ
-
delay
21
-
install
true
-
install_file
service.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/5028-2-0x00000000010A0000-0x00000000010B2000-memory.dmp family_asyncrat behavioral2/memory/2364-17-0x0000000002BF0000-0x0000000002C02000-memory.dmp family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9D1E589EA8C4B3C59D3FB46AFA940DA5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 9D1E589EA8C4B3C59D3FB46AFA940DA5.exe -
Executes dropped EXE 1 IoCs
Processes:
service.exepid process 2364 service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
timeout.exeschtasks.exeservice.exe9D1E589EA8C4B3C59D3FB46AFA940DA5.execmd.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9D1E589EA8C4B3C59D3FB46AFA940DA5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 412 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
9D1E589EA8C4B3C59D3FB46AFA940DA5.exepid process 5028 9D1E589EA8C4B3C59D3FB46AFA940DA5.exe 5028 9D1E589EA8C4B3C59D3FB46AFA940DA5.exe 5028 9D1E589EA8C4B3C59D3FB46AFA940DA5.exe 5028 9D1E589EA8C4B3C59D3FB46AFA940DA5.exe 5028 9D1E589EA8C4B3C59D3FB46AFA940DA5.exe 5028 9D1E589EA8C4B3C59D3FB46AFA940DA5.exe 5028 9D1E589EA8C4B3C59D3FB46AFA940DA5.exe 5028 9D1E589EA8C4B3C59D3FB46AFA940DA5.exe 5028 9D1E589EA8C4B3C59D3FB46AFA940DA5.exe 5028 9D1E589EA8C4B3C59D3FB46AFA940DA5.exe 5028 9D1E589EA8C4B3C59D3FB46AFA940DA5.exe 5028 9D1E589EA8C4B3C59D3FB46AFA940DA5.exe 5028 9D1E589EA8C4B3C59D3FB46AFA940DA5.exe 5028 9D1E589EA8C4B3C59D3FB46AFA940DA5.exe 5028 9D1E589EA8C4B3C59D3FB46AFA940DA5.exe 5028 9D1E589EA8C4B3C59D3FB46AFA940DA5.exe 5028 9D1E589EA8C4B3C59D3FB46AFA940DA5.exe 5028 9D1E589EA8C4B3C59D3FB46AFA940DA5.exe 5028 9D1E589EA8C4B3C59D3FB46AFA940DA5.exe 5028 9D1E589EA8C4B3C59D3FB46AFA940DA5.exe 5028 9D1E589EA8C4B3C59D3FB46AFA940DA5.exe 5028 9D1E589EA8C4B3C59D3FB46AFA940DA5.exe 5028 9D1E589EA8C4B3C59D3FB46AFA940DA5.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
9D1E589EA8C4B3C59D3FB46AFA940DA5.exeservice.exedescription pid process Token: SeDebugPrivilege 5028 9D1E589EA8C4B3C59D3FB46AFA940DA5.exe Token: SeDebugPrivilege 2364 service.exe Token: SeDebugPrivilege 2364 service.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
9D1E589EA8C4B3C59D3FB46AFA940DA5.execmd.execmd.exedescription pid process target process PID 5028 wrote to memory of 2464 5028 9D1E589EA8C4B3C59D3FB46AFA940DA5.exe cmd.exe PID 5028 wrote to memory of 2464 5028 9D1E589EA8C4B3C59D3FB46AFA940DA5.exe cmd.exe PID 5028 wrote to memory of 2464 5028 9D1E589EA8C4B3C59D3FB46AFA940DA5.exe cmd.exe PID 5028 wrote to memory of 4644 5028 9D1E589EA8C4B3C59D3FB46AFA940DA5.exe cmd.exe PID 5028 wrote to memory of 4644 5028 9D1E589EA8C4B3C59D3FB46AFA940DA5.exe cmd.exe PID 5028 wrote to memory of 4644 5028 9D1E589EA8C4B3C59D3FB46AFA940DA5.exe cmd.exe PID 4644 wrote to memory of 412 4644 cmd.exe timeout.exe PID 4644 wrote to memory of 412 4644 cmd.exe timeout.exe PID 4644 wrote to memory of 412 4644 cmd.exe timeout.exe PID 2464 wrote to memory of 2844 2464 cmd.exe schtasks.exe PID 2464 wrote to memory of 2844 2464 cmd.exe schtasks.exe PID 2464 wrote to memory of 2844 2464 cmd.exe schtasks.exe PID 4644 wrote to memory of 2364 4644 cmd.exe service.exe PID 4644 wrote to memory of 2364 4644 cmd.exe service.exe PID 4644 wrote to memory of 2364 4644 cmd.exe service.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9D1E589EA8C4B3C59D3FB46AFA940DA5.exe"C:\Users\Admin\AppData\Local\Temp\9D1E589EA8C4B3C59D3FB46AFA940DA5.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "service" /tr '"C:\Users\Admin\AppData\Roaming\service.exe"' & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "service" /tr '"C:\Users\Admin\AppData\Roaming\service.exe"'3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2844 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC98A.tmp.bat""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:412 -
C:\Users\Admin\AppData\Roaming\service.exe"C:\Users\Admin\AppData\Roaming\service.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2364
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151B
MD50c30aee0a765a232a838ef4a94bb223d
SHA18015b087b0fee895888bccf2c8eabef6130d58d4
SHA25680a7bfe94616da5229696fad629f85bc14f4f92d49244000279797b6d58ed646
SHA5129b5fdb8dd32374a8d116d6cac5135b37df2a381908c4a2661bf598d53e19ba599fcda2998763322468afbaa8fdf546c83a1fb982215988d0c18ae623cd5f70f0
-
Filesize
238KB
MD59d1e589ea8c4b3c59d3fb46afa940da5
SHA1817bf841284e0279d15cb27f73a0939344dfb811
SHA2569164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed
SHA512a7db38a58cf9580c987fe6c3293dc279a67458850862d86d0cc60fb7c9213bf92311be2a8ac44ae055fd24619df8f76d33f32835a254d386e4e53e2602d63ac2