Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-10-2024 00:50
Behavioral task
behavioral1
Sample
2760-2-0x0000000000220000-0x0000000000232000-memory.exe
Resource
win7-20240903-en
General
-
Target
2760-2-0x0000000000220000-0x0000000000232000-memory.exe
-
Size
72KB
-
MD5
abae485c5bb08a3c3d973a9f0bf4909f
-
SHA1
7ab206b8de7e8e2757c25c0144164d337c454d43
-
SHA256
120cdab22661efc232e872f45c5c42cee1f33f4b23996596bbffc1fe9cde1a03
-
SHA512
890f360d52682b445f076c960ab6aa0babb5bd569bb8d54babecbb2ed266143c3746cccb7875f7589beabd8c0c64b66e4cfcf5629e43750a8b2547c40a33c42c
-
SSDEEP
1536:yu270TceH2+nszByYfUlbAoEb7uYHTF25bxzlxOU0d+c:yu2oTceH2+szByYfUlbAoEb7uYB2jh0d
Malware Config
Extracted
asyncrat
0.5.8
Default
54.253.7.109:4447
XqcNee3124zJ
-
delay
21
-
install
true
-
install_file
service.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\service.exe family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2760-2-0x0000000000220000-0x0000000000232000-memory.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 2760-2-0x0000000000220000-0x0000000000232000-memory.exe -
Executes dropped EXE 1 IoCs
Processes:
service.exepid process 2636 service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
2760-2-0x0000000000220000-0x0000000000232000-memory.execmd.execmd.exeschtasks.exetimeout.exeservice.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2760-2-0x0000000000220000-0x0000000000232000-memory.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2336 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
2760-2-0x0000000000220000-0x0000000000232000-memory.exepid process 916 2760-2-0x0000000000220000-0x0000000000232000-memory.exe 916 2760-2-0x0000000000220000-0x0000000000232000-memory.exe 916 2760-2-0x0000000000220000-0x0000000000232000-memory.exe 916 2760-2-0x0000000000220000-0x0000000000232000-memory.exe 916 2760-2-0x0000000000220000-0x0000000000232000-memory.exe 916 2760-2-0x0000000000220000-0x0000000000232000-memory.exe 916 2760-2-0x0000000000220000-0x0000000000232000-memory.exe 916 2760-2-0x0000000000220000-0x0000000000232000-memory.exe 916 2760-2-0x0000000000220000-0x0000000000232000-memory.exe 916 2760-2-0x0000000000220000-0x0000000000232000-memory.exe 916 2760-2-0x0000000000220000-0x0000000000232000-memory.exe 916 2760-2-0x0000000000220000-0x0000000000232000-memory.exe 916 2760-2-0x0000000000220000-0x0000000000232000-memory.exe 916 2760-2-0x0000000000220000-0x0000000000232000-memory.exe 916 2760-2-0x0000000000220000-0x0000000000232000-memory.exe 916 2760-2-0x0000000000220000-0x0000000000232000-memory.exe 916 2760-2-0x0000000000220000-0x0000000000232000-memory.exe 916 2760-2-0x0000000000220000-0x0000000000232000-memory.exe 916 2760-2-0x0000000000220000-0x0000000000232000-memory.exe 916 2760-2-0x0000000000220000-0x0000000000232000-memory.exe 916 2760-2-0x0000000000220000-0x0000000000232000-memory.exe 916 2760-2-0x0000000000220000-0x0000000000232000-memory.exe 916 2760-2-0x0000000000220000-0x0000000000232000-memory.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
2760-2-0x0000000000220000-0x0000000000232000-memory.exeservice.exedescription pid process Token: SeDebugPrivilege 916 2760-2-0x0000000000220000-0x0000000000232000-memory.exe Token: SeDebugPrivilege 2636 service.exe Token: SeDebugPrivilege 2636 service.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
2760-2-0x0000000000220000-0x0000000000232000-memory.execmd.execmd.exedescription pid process target process PID 916 wrote to memory of 1480 916 2760-2-0x0000000000220000-0x0000000000232000-memory.exe cmd.exe PID 916 wrote to memory of 1480 916 2760-2-0x0000000000220000-0x0000000000232000-memory.exe cmd.exe PID 916 wrote to memory of 1480 916 2760-2-0x0000000000220000-0x0000000000232000-memory.exe cmd.exe PID 916 wrote to memory of 4596 916 2760-2-0x0000000000220000-0x0000000000232000-memory.exe cmd.exe PID 916 wrote to memory of 4596 916 2760-2-0x0000000000220000-0x0000000000232000-memory.exe cmd.exe PID 916 wrote to memory of 4596 916 2760-2-0x0000000000220000-0x0000000000232000-memory.exe cmd.exe PID 4596 wrote to memory of 2336 4596 cmd.exe timeout.exe PID 4596 wrote to memory of 2336 4596 cmd.exe timeout.exe PID 4596 wrote to memory of 2336 4596 cmd.exe timeout.exe PID 1480 wrote to memory of 1416 1480 cmd.exe schtasks.exe PID 1480 wrote to memory of 1416 1480 cmd.exe schtasks.exe PID 1480 wrote to memory of 1416 1480 cmd.exe schtasks.exe PID 4596 wrote to memory of 2636 4596 cmd.exe service.exe PID 4596 wrote to memory of 2636 4596 cmd.exe service.exe PID 4596 wrote to memory of 2636 4596 cmd.exe service.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2760-2-0x0000000000220000-0x0000000000232000-memory.exe"C:\Users\Admin\AppData\Local\Temp\2760-2-0x0000000000220000-0x0000000000232000-memory.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "service" /tr '"C:\Users\Admin\AppData\Roaming\service.exe"' & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "service" /tr '"C:\Users\Admin\AppData\Roaming\service.exe"'3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1416 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD801.tmp.bat""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2336 -
C:\Users\Admin\AppData\Roaming\service.exe"C:\Users\Admin\AppData\Roaming\service.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2636
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151B
MD50b246eb88a4bc91b4f5ca08ab540317d
SHA195391b17cd555e665fe0587261f23d9b0297a698
SHA256dc64c2d3366895a5478d5be14a6fc6e69c336afdb5db489d029bd2fb4c467bc5
SHA512a1b17339021f89983c0c2bc0aa4233d5ab0e79b9024952894b79e7cac039dcee47f1d7ce3571e462722a3416991eee729e42e1b5af2612734ac332d0ddb957e3
-
Filesize
72KB
MD5abae485c5bb08a3c3d973a9f0bf4909f
SHA17ab206b8de7e8e2757c25c0144164d337c454d43
SHA256120cdab22661efc232e872f45c5c42cee1f33f4b23996596bbffc1fe9cde1a03
SHA512890f360d52682b445f076c960ab6aa0babb5bd569bb8d54babecbb2ed266143c3746cccb7875f7589beabd8c0c64b66e4cfcf5629e43750a8b2547c40a33c42c