Analysis Overview
SHA256
7782da3a91f91377c4c8d1d338237c6ff996ad42caaab27c1cdc5ea7e90058e1
Threat Level: Known bad
The file Network Experience.exe was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Asyncrat family
Async RAT payload
Async RAT payload
Checks computer location settings
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Unsigned PE
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 22:18
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 22:18
Reported
2024-11-09 22:21
Platform
win10ltsc2021-20241023-en
Max time kernel
127s
Max time network
144s
Command Line
Signatures
AsyncRat
Asyncrat family
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Network Experience.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NetworkEX.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Network Experience.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\NetworkEX.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NetworkEX.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Network Experience.exe
"C:\Users\Admin\AppData\Local\Temp\Network Experience.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NetworkEX" /tr '"C:\Users\Admin\AppData\Roaming\NetworkEX.exe"' & exit
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9990.tmp.bat""
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "NetworkEX" /tr '"C:\Users\Admin\AppData\Roaming\NetworkEX.exe"'
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\NetworkEX.exe
"C:\Users\Admin\AppData\Roaming\NetworkEX.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | format-cite.gl.at.ply.gg | udp |
| US | 147.185.221.17:4361 | format-cite.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 147.185.221.17:4361 | format-cite.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 147.185.221.17:4361 | format-cite.gl.at.ply.gg | tcp |
| US | 147.185.221.17:4361 | format-cite.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 147.185.221.17:4361 | format-cite.gl.at.ply.gg | tcp |
| US | 147.185.221.17:4361 | format-cite.gl.at.ply.gg | tcp |
Files
memory/3580-0-0x00007FFDAF3F3000-0x00007FFDAF3F5000-memory.dmp
memory/3580-1-0x0000000000350000-0x0000000000368000-memory.dmp
memory/3580-3-0x00007FFDAF3F0000-0x00007FFDAFEB2000-memory.dmp
memory/3580-4-0x00007FFDAF3F0000-0x00007FFDAFEB2000-memory.dmp
memory/3580-9-0x00007FFDAF3F0000-0x00007FFDAFEB2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp9990.tmp.bat
| MD5 | e3216c9f63f440a3247a70eeca022adc |
| SHA1 | 0bb99d9f3e8511c4226a2b6a851a5ac727196862 |
| SHA256 | 378998304e6d5747ccd546d0666134195788ccd11d3e098d29fe7153d281925d |
| SHA512 | dff9d05e183044d9b097aa19aa3c3a076e805cf5f30cba5bce0cbb6c1c94d0f504602b7f6f824ebf0250e8e67798d7d11c525fe1274f4660bf19ef39916d2589 |
C:\Users\Admin\AppData\Roaming\NetworkEX.exe
| MD5 | a1e76f2fbe7af658b38383fbfd7cfff4 |
| SHA1 | 6dc43ef73b59ff29089a4b29bc8ade4ea63484ec |
| SHA256 | 7782da3a91f91377c4c8d1d338237c6ff996ad42caaab27c1cdc5ea7e90058e1 |
| SHA512 | 4a47391ba3132cfb36da8d7f08ae6856312b26547845e3fe5f3ddd0939893245bf4de337671bc917926d5c764a6100d084845236ef1707560ff5be4aa5f2bed8 |
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
| MD5 | cf759e4c5f14fe3eec41b87ed756cea8 |
| SHA1 | c27c796bb3c2fac929359563676f4ba1ffada1f5 |
| SHA256 | c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761 |
| SHA512 | c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b |