Analysis
-
max time kernel
127s -
max time network
144s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
09/11/2024, 22:18
Behavioral task
behavioral1
Sample
Network Experience.exe
Resource
win10ltsc2021-20241023-en
General
-
Target
Network Experience.exe
-
Size
74KB
-
MD5
a1e76f2fbe7af658b38383fbfd7cfff4
-
SHA1
6dc43ef73b59ff29089a4b29bc8ade4ea63484ec
-
SHA256
7782da3a91f91377c4c8d1d338237c6ff996ad42caaab27c1cdc5ea7e90058e1
-
SHA512
4a47391ba3132cfb36da8d7f08ae6856312b26547845e3fe5f3ddd0939893245bf4de337671bc917926d5c764a6100d084845236ef1707560ff5be4aa5f2bed8
-
SSDEEP
1536:rUa8cxqnHXC56PMVwKCpaIPr1bg/VkxLN+QzcoVVclN:rUrcxq3O6PMVQpLr1bg9kxQQJ3Y
Malware Config
Extracted
asyncrat
Venom Pwn3rzs' Edtition v6.0.1
proxy on top
gdfgvsdfdasfkjasdkjaske9831943ioqwkd
-
delay
1
-
install
true
-
install_file
NetworkEX.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/jGuGV3jT
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x00290000000450b1-12.dat family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation Network Experience.exe -
Executes dropped EXE 1 IoCs
pid Process 4184 NetworkEX.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 15 pastebin.com 16 pastebin.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 4944 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2100 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 52 IoCs
pid Process 3580 Network Experience.exe 3580 Network Experience.exe 3580 Network Experience.exe 3580 Network Experience.exe 3580 Network Experience.exe 3580 Network Experience.exe 3580 Network Experience.exe 3580 Network Experience.exe 3580 Network Experience.exe 3580 Network Experience.exe 3580 Network Experience.exe 3580 Network Experience.exe 3580 Network Experience.exe 3580 Network Experience.exe 3580 Network Experience.exe 3580 Network Experience.exe 3580 Network Experience.exe 3580 Network Experience.exe 3580 Network Experience.exe 3580 Network Experience.exe 3580 Network Experience.exe 4184 NetworkEX.exe 4184 NetworkEX.exe 4184 NetworkEX.exe 4184 NetworkEX.exe 4184 NetworkEX.exe 4184 NetworkEX.exe 4184 NetworkEX.exe 4184 NetworkEX.exe 4184 NetworkEX.exe 4184 NetworkEX.exe 4184 NetworkEX.exe 4184 NetworkEX.exe 4184 NetworkEX.exe 4184 NetworkEX.exe 4184 NetworkEX.exe 4184 NetworkEX.exe 4184 NetworkEX.exe 4184 NetworkEX.exe 4184 NetworkEX.exe 4184 NetworkEX.exe 4184 NetworkEX.exe 4184 NetworkEX.exe 4184 NetworkEX.exe 4184 NetworkEX.exe 4184 NetworkEX.exe 4184 NetworkEX.exe 4184 NetworkEX.exe 4184 NetworkEX.exe 4184 NetworkEX.exe 4184 NetworkEX.exe 4184 NetworkEX.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3580 Network Experience.exe Token: SeDebugPrivilege 4184 NetworkEX.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4184 NetworkEX.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 3580 wrote to memory of 3028 3580 Network Experience.exe 84 PID 3580 wrote to memory of 3028 3580 Network Experience.exe 84 PID 3580 wrote to memory of 712 3580 Network Experience.exe 86 PID 3580 wrote to memory of 712 3580 Network Experience.exe 86 PID 3028 wrote to memory of 2100 3028 cmd.exe 88 PID 3028 wrote to memory of 2100 3028 cmd.exe 88 PID 712 wrote to memory of 4944 712 cmd.exe 89 PID 712 wrote to memory of 4944 712 cmd.exe 89 PID 712 wrote to memory of 4184 712 cmd.exe 94 PID 712 wrote to memory of 4184 712 cmd.exe 94 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Network Experience.exe"C:\Users\Admin\AppData\Local\Temp\Network Experience.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NetworkEX" /tr '"C:\Users\Admin\AppData\Roaming\NetworkEX.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "NetworkEX" /tr '"C:\Users\Admin\AppData\Roaming\NetworkEX.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:2100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9990.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:4944
-
-
C:\Users\Admin\AppData\Roaming\NetworkEX.exe"C:\Users\Admin\AppData\Roaming\NetworkEX.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4184
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5e3216c9f63f440a3247a70eeca022adc
SHA10bb99d9f3e8511c4226a2b6a851a5ac727196862
SHA256378998304e6d5747ccd546d0666134195788ccd11d3e098d29fe7153d281925d
SHA512dff9d05e183044d9b097aa19aa3c3a076e805cf5f30cba5bce0cbb6c1c94d0f504602b7f6f824ebf0250e8e67798d7d11c525fe1274f4660bf19ef39916d2589
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
Filesize
74KB
MD5a1e76f2fbe7af658b38383fbfd7cfff4
SHA16dc43ef73b59ff29089a4b29bc8ade4ea63484ec
SHA2567782da3a91f91377c4c8d1d338237c6ff996ad42caaab27c1cdc5ea7e90058e1
SHA5124a47391ba3132cfb36da8d7f08ae6856312b26547845e3fe5f3ddd0939893245bf4de337671bc917926d5c764a6100d084845236ef1707560ff5be4aa5f2bed8