Analysis
-
max time kernel
88s -
max time network
94s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
30-10-2024 15:24
Static task
static1
Behavioral task
behavioral1
Sample
build.exe
Resource
win11-20241007-en
General
-
Target
build.exe
-
Size
3.5MB
-
MD5
c9d5e28ae4638f8db2e112ec80158d0a
-
SHA1
e5e5aa59eadf80c9725ca26ee95e3af214c7146d
-
SHA256
1099a5fc3d5bd8c7250a34b90eecc9d53db92d7659e1f13440a84a4ee6380a83
-
SHA512
16208beef3beefd449840c19945ebdee8fe60e57aa188e7f5bb793550c4d8afbef1f0395f75942a852cf9abe35d25b5ef530a3640b67c26f247a023b92d94329
-
SSDEEP
49152:WLJwSihjOb6GLb4SKEs3DyOMCSt0+yO3A32AS+Tv+mNwgDF/Jg58d3DV7n0wsPlo:SwSi0b67zeCSt0+yO3kSat
Malware Config
Extracted
asyncrat
1.0.7
25 OCTUBRE
diosestasiempre.duckdns.org:2247
estees
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
build.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Run\HPDesignerEditor = "C:\\Users\\Admin\\Music\\HPDesignerUpdater\\HPConvertVideo.exe" build.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
build.exedescription pid process target process PID 3376 set thread context of 4824 3376 build.exe csc.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
build.execsc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language build.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
Taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName Taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Taskmgr.exepid process 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Taskmgr.execsc.exedescription pid process Token: SeDebugPrivilege 476 Taskmgr.exe Token: SeSystemProfilePrivilege 476 Taskmgr.exe Token: SeCreateGlobalPrivilege 476 Taskmgr.exe Token: SeDebugPrivilege 4824 csc.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
Taskmgr.exepid process 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
Taskmgr.exepid process 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe 476 Taskmgr.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
build.exedescription pid process target process PID 3376 wrote to memory of 4824 3376 build.exe csc.exe PID 3376 wrote to memory of 4824 3376 build.exe csc.exe PID 3376 wrote to memory of 4824 3376 build.exe csc.exe PID 3376 wrote to memory of 4824 3376 build.exe csc.exe PID 3376 wrote to memory of 4824 3376 build.exe csc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4824
-
C:\Windows\System32\Taskmgr.exe"C:\Windows\System32\Taskmgr.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:476