Malware Analysis Report

2025-06-15 23:44

Sample ID 241109-18dy8ssnhs
Target Network Experience.exe
SHA256 7782da3a91f91377c4c8d1d338237c6ff996ad42caaab27c1cdc5ea7e90058e1
Tags
rat proxy on top asyncrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7782da3a91f91377c4c8d1d338237c6ff996ad42caaab27c1cdc5ea7e90058e1

Threat Level: Known bad

The file Network Experience.exe was found to be: Known bad.

Malicious Activity Summary

rat proxy on top asyncrat

AsyncRat

Asyncrat family

Async RAT payload

Async RAT payload

Checks computer location settings

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 22:18

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 22:18

Reported

2024-11-09 22:21

Platform

win10ltsc2021-20241023-en

Max time kernel

127s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Network Experience.exe"

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Network Experience.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\NetworkEX.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Network Experience.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Network Experience.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Network Experience.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Network Experience.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Network Experience.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Network Experience.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Network Experience.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Network Experience.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Network Experience.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Network Experience.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Network Experience.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Network Experience.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Network Experience.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Network Experience.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Network Experience.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Network Experience.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Network Experience.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Network Experience.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Network Experience.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Network Experience.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Network Experience.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NetworkEX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NetworkEX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NetworkEX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NetworkEX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NetworkEX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NetworkEX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NetworkEX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NetworkEX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NetworkEX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NetworkEX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NetworkEX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NetworkEX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NetworkEX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NetworkEX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NetworkEX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NetworkEX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NetworkEX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NetworkEX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NetworkEX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NetworkEX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NetworkEX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NetworkEX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NetworkEX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NetworkEX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NetworkEX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NetworkEX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NetworkEX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NetworkEX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NetworkEX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NetworkEX.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NetworkEX.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Network Experience.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\NetworkEX.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\NetworkEX.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Network Experience.exe

"C:\Users\Admin\AppData\Local\Temp\Network Experience.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NetworkEX" /tr '"C:\Users\Admin\AppData\Roaming\NetworkEX.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9990.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "NetworkEX" /tr '"C:\Users\Admin\AppData\Roaming\NetworkEX.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\NetworkEX.exe

"C:\Users\Admin\AppData\Roaming\NetworkEX.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 format-cite.gl.at.ply.gg udp
US 147.185.221.17:4361 format-cite.gl.at.ply.gg tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 147.185.221.17:4361 format-cite.gl.at.ply.gg tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 147.185.221.17:4361 format-cite.gl.at.ply.gg tcp
US 147.185.221.17:4361 format-cite.gl.at.ply.gg tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 147.185.221.17:4361 format-cite.gl.at.ply.gg tcp
US 147.185.221.17:4361 format-cite.gl.at.ply.gg tcp

Files

memory/3580-0-0x00007FFDAF3F3000-0x00007FFDAF3F5000-memory.dmp

memory/3580-1-0x0000000000350000-0x0000000000368000-memory.dmp

memory/3580-3-0x00007FFDAF3F0000-0x00007FFDAFEB2000-memory.dmp

memory/3580-4-0x00007FFDAF3F0000-0x00007FFDAFEB2000-memory.dmp

memory/3580-9-0x00007FFDAF3F0000-0x00007FFDAFEB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9990.tmp.bat

MD5 e3216c9f63f440a3247a70eeca022adc
SHA1 0bb99d9f3e8511c4226a2b6a851a5ac727196862
SHA256 378998304e6d5747ccd546d0666134195788ccd11d3e098d29fe7153d281925d
SHA512 dff9d05e183044d9b097aa19aa3c3a076e805cf5f30cba5bce0cbb6c1c94d0f504602b7f6f824ebf0250e8e67798d7d11c525fe1274f4660bf19ef39916d2589

C:\Users\Admin\AppData\Roaming\NetworkEX.exe

MD5 a1e76f2fbe7af658b38383fbfd7cfff4
SHA1 6dc43ef73b59ff29089a4b29bc8ade4ea63484ec
SHA256 7782da3a91f91377c4c8d1d338237c6ff996ad42caaab27c1cdc5ea7e90058e1
SHA512 4a47391ba3132cfb36da8d7f08ae6856312b26547845e3fe5f3ddd0939893245bf4de337671bc917926d5c764a6100d084845236ef1707560ff5be4aa5f2bed8

C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

MD5 cf759e4c5f14fe3eec41b87ed756cea8
SHA1 c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256 c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512 c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b