Overview

overview

10

Static

static

3

8d8718cc95...e2.exe

windows7-x64

10

8d8718cc95...e2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07-11-2024 15:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8d8718cc95ecf6af196cc0c0eaac9ae2.exe

  • Size

    513KB

  • MD5

    8d8718cc95ecf6af196cc0c0eaac9ae2

  • SHA1

    0c822251da19e4f9f5a0b555d85fcf8813034b32

  • SHA256

    89d813e660f2438c15b502fe9cba3a61dd069a4f4fafded91feac3039731bdb4

  • SHA512

    98a74f1db9a7334f05327d871e7aa4e3b264d2cc36709df6e625edb79dde1e49a355b439fa7b72e6a5714a9c2e5b8807aa94aa137fee36c78388bbeeb9445114

  • SSDEEP

    12288:iE/ShrODzyPjurrSN/nGtZr0IMr3xYokt9mROPBMzt:d/2PAShG30X3um3B

Score
10/10
asyncratdefaultdiscoveryexecutionrat

Malware Config

Extracted

Family

asyncrat

Version

AWS | RxR

Botnet

Default

C2

lastofdr51.mywire.org:6606

lastofdr51.mywire.org:7707

lastofdr51.mywire.org:8808

Nightmare15.strangled.net:6606

Nightmare15.strangled.net:7707

Nightmare15.strangled.net:8808

darkenssnight.ydns.eu:6606

darkenssnight.ydns.eu:7707

darkenssnight.ydns.eu:8808
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_file

    SystemUpdate.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8d8718cc95ecf6af196cc0c0eaac9ae2.exe
    "C:\Users\Admin\AppData\Local\Temp\8d8718cc95ecf6af196cc0c0eaac9ae2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8d8718cc95ecf6af196cc0c0eaac9ae2.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2892
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YeANKIEIC.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1804
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YeANKIEIC" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCBB8.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2816
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
        PID:1720
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:636

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\CabED6D.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpCBB8.tmp
      Filesize

      1KB

      MD5

      bbae1110b76e61914c292d097967d374

      SHA1

      232aa0afcd87889c28b58a60083bdef8da5979c3

      SHA256

      d1a25985375e698a60bbde9b205cc42c36e61c34e178840bd7aa3862b5405279

      SHA512

      0a4e6b0b0587ddf05a6aadc066e108bdd9740e827ef284587c5d394738cf185aa1511abfbc313efc080339d8c197d99746cdebed64fea0c6e083ebc2eb9ea27e

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      7a0aa20fc2e128e7f9ac1f310a69ea8c

      SHA1

      2c73a089d3fcc59a8de2ed3d231b857285a4e4b0

      SHA256

      7845f8c8e080ee1361590bb1c339dabcebf59cf76af7e4bb387bb83fced177d6

      SHA512

      bb9905845e4000d89cb1acb1b50cebbc658fcabcec90221d7d4927ef73ea1323a39da17a11b41b709d5c92daf4cc9b08b693d212f5145e32116f07f7f2c1b9d2

      Download Submit

    • memory/636-29-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download

    • memory/636-28-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download

    • memory/636-23-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download

    • memory/636-25-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download

    • memory/636-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/636-21-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download

    • memory/636-19-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download

    • memory/636-30-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download

    • memory/3008-2-0x0000000074400000-0x0000000074AEE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3008-0-0x000000007440E000-0x000000007440F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3008-4-0x000000007440E000-0x000000007440F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3008-3-0x0000000000340000-0x0000000000350000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3008-6-0x0000000004F40000-0x0000000004F98000-memory.dmp

      Filesize

      352KB

      Download

    • memory/3008-5-0x0000000074400000-0x0000000074AEE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3008-31-0x0000000074400000-0x0000000074AEE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3008-1-0x0000000000DB0000-0x0000000000E36000-memory.dmp

      Filesize

      536KB

      Download