Overview
overview
10Static
static
1015a83de318...fa.exe
windows7-x64
615a83de318...fa.exe
windows10-2004-x64
6304f9bc7de...1b.exe
windows7-x64
10304f9bc7de...1b.exe
windows10-2004-x64
1043087ea949...eb.exe
windows7-x64
1043087ea949...eb.exe
windows10-2004-x64
1061bb2c746d...fd.exe
windows7-x64
1061bb2c746d...fd.exe
windows10-2004-x64
1078ae7a93d9...b6.exe
windows7-x64
1078ae7a93d9...b6.exe
windows10-2004-x64
10878487e25e...53.exe
windows7-x64
10878487e25e...53.exe
windows10-2004-x64
10922135a10e...54.exe
windows7-x64
10922135a10e...54.exe
windows10-2004-x64
1098e12d1098...ad.exe
windows7-x64
1098e12d1098...ad.exe
windows10-2004-x64
10b67bc3d957...8f.exe
windows7-x64
8b67bc3d957...8f.exe
windows10-2004-x64
8Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-11-2024 06:54
Behavioral task
behavioral1
Sample
15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
304f9bc7de67c32d895d2a005283ae4b7a63e390915463ca0a9aa404a9e29e1b.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
304f9bc7de67c32d895d2a005283ae4b7a63e390915463ca0a9aa404a9e29e1b.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
78ae7a93d9e328b6e2c05b730df6384b3da3afe8674be983c19116d1457da7b6.exe
Resource
win7-20240729-en
Behavioral task
behavioral10
Sample
78ae7a93d9e328b6e2c05b730df6384b3da3afe8674be983c19116d1457da7b6.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad.exe
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
b67bc3d9578e037d7cf91795a1015008d2ee5629c5b8089a16ae3d3bac92168f.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
b67bc3d9578e037d7cf91795a1015008d2ee5629c5b8089a16ae3d3bac92168f.exe
Resource
win10v2004-20241007-en
General
-
Target
878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe
-
Size
45KB
-
MD5
5af5a9087ecf42eb83fb358d49b06e92
-
SHA1
0d4a5c5d90e6306c476036ca097a01a17b4295db
-
SHA256
878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453
-
SHA512
d0608f648dd26b81d262741c373737dba3bfeb1508f86d8c448ec634a78bd9f86f52961d22cf027418c5012f2f7388928480495003dfeac7b94deb590bb7d22c
-
SSDEEP
768:Qu08dTbAoeyWUE++Ymo2q8EpL2d78tPIAzjbygX3i46U44rylUVkBDZax:Qu08dTbfz2ESA3b1XSHULy9dax
Malware Config
Extracted
asyncrat
0.5.7B
Default
206.123.141.239:7777
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
12376w8q09dq.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral12/files/0x000d000000023b27-12.dat family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe -
Executes dropped EXE 1 IoCs
pid Process 2396 12376w8q09dq.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 12376w8q09dq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1576 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2692 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 4084 878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe 4084 878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe 4084 878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe 4084 878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe 4084 878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe 4084 878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe 4084 878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe 4084 878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe 4084 878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe 4084 878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe 4084 878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe 4084 878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe 4084 878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe 4084 878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe 4084 878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe 4084 878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe 4084 878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe 4084 878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe 4084 878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe 4084 878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe 4084 878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe 4084 878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe 4084 878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4084 878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe Token: SeDebugPrivilege 2396 12376w8q09dq.exe Token: SeDebugPrivilege 2396 12376w8q09dq.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4084 wrote to memory of 2000 4084 878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe 92 PID 4084 wrote to memory of 2000 4084 878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe 92 PID 4084 wrote to memory of 2000 4084 878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe 92 PID 4084 wrote to memory of 3424 4084 878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe 94 PID 4084 wrote to memory of 3424 4084 878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe 94 PID 4084 wrote to memory of 3424 4084 878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe 94 PID 2000 wrote to memory of 2692 2000 cmd.exe 96 PID 2000 wrote to memory of 2692 2000 cmd.exe 96 PID 2000 wrote to memory of 2692 2000 cmd.exe 96 PID 3424 wrote to memory of 1576 3424 cmd.exe 97 PID 3424 wrote to memory of 1576 3424 cmd.exe 97 PID 3424 wrote to memory of 1576 3424 cmd.exe 97 PID 3424 wrote to memory of 2396 3424 cmd.exe 100 PID 3424 wrote to memory of 2396 3424 cmd.exe 100 PID 3424 wrote to memory of 2396 3424 cmd.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe"C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "12376w8q09dq" /tr '"C:\Users\Admin\AppData\Roaming\12376w8q09dq.exe"' & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "12376w8q09dq" /tr '"C:\Users\Admin\AppData\Roaming\12376w8q09dq.exe"'3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2692
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAAD6.tmp.bat""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1576
-
-
C:\Users\Admin\AppData\Roaming\12376w8q09dq.exe"C:\Users\Admin\AppData\Roaming\12376w8q09dq.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
156B
MD546646f9376c0a899495a2ed668bd1232
SHA1d76ecb685230a108c8bb2b8dd8330ab06feb5ecb
SHA2566145f8cb161e602b77aa754bcdff4a7aa39ccf3bb80dcabb693581daf5ec89c8
SHA512d74d3fce1f979eebffa5fc50a899eed2d82243086664e6e6d3cc310a2dea4384506eb1d9a29c645d5d61f9eca2b1d06cb01032f9b2e615b4e15bb931c8e28a45
-
Filesize
45KB
MD55af5a9087ecf42eb83fb358d49b06e92
SHA10d4a5c5d90e6306c476036ca097a01a17b4295db
SHA256878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453
SHA512d0608f648dd26b81d262741c373737dba3bfeb1508f86d8c448ec634a78bd9f86f52961d22cf027418c5012f2f7388928480495003dfeac7b94deb590bb7d22c