Analysis Overview
SHA256
4744d244bb23331abb4bf35a693bb4354b55285a378bd1db22b13d3e61570c88
Threat Level: Known bad
The file Bootstrapper.exe was found to be: Known bad.
Malicious Activity Summary
Asyncrat family
AsyncRat
Async RAT payload
Async RAT payload
Checks computer location settings
Executes dropped EXE
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Delays execution with timeout.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 23:19
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 23:19
Reported
2024-11-09 23:22
Platform
win10ltsc2021-20241023-en
Max time kernel
143s
Max time network
149s
Command Line
Signatures
AsyncRat
Asyncrat family
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SysKeeperVLR.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\SysKeeperVLR.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SysKeeperVLR.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "SysKeeperVLR" /tr '"C:\Users\Admin\AppData\Roaming\SysKeeperVLR.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8B19.tmp.bat""
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "SysKeeperVLR" /tr '"C:\Users\Admin\AppData\Roaming\SysKeeperVLR.exe"'
C:\Users\Admin\AppData\Roaming\SysKeeperVLR.exe
"C:\Users\Admin\AppData\Roaming\SysKeeperVLR.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 193.161.193.99:9999 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| DE | 193.161.193.99:9999 | tcp | |
| DE | 193.161.193.99:9999 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 193.161.193.99:9999 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| DE | 193.161.193.99:9999 | tcp | |
| DE | 193.161.193.99:9999 | tcp | |
| DE | 193.161.193.99:9999 | tcp | |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| DE | 193.161.193.99:9999 | tcp | |
| DE | 193.161.193.99:9999 | tcp | |
| DE | 193.161.193.99:9999 | tcp | |
| DE | 193.161.193.99:9999 | tcp | |
| DE | 193.161.193.99:9999 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 193.161.193.99:9999 | tcp | |
| DE | 193.161.193.99:9999 | tcp | |
| DE | 193.161.193.99:9999 | tcp | |
| DE | 193.161.193.99:9999 | tcp | |
| DE | 193.161.193.99:9999 | tcp | |
| DE | 193.161.193.99:9999 | tcp | |
| DE | 193.161.193.99:9999 | tcp |
Files
memory/1480-0-0x00007FFA208D0000-0x00007FFA20AC8000-memory.dmp
memory/1480-1-0x00000000002D0000-0x00000000002F0000-memory.dmp
memory/1480-2-0x00007FFA208D0000-0x00007FFA20AC8000-memory.dmp
memory/1480-3-0x0000000004D00000-0x0000000004D66000-memory.dmp
memory/1480-4-0x0000000005110000-0x00000000051AC000-memory.dmp
memory/1480-9-0x00007FFA208D0000-0x00007FFA20AC8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8B19.tmp.bat
| MD5 | f8534dced55b66321566d8e956022083 |
| SHA1 | 5bebbcebb4a7e4feceac41293ecdd176f3115b49 |
| SHA256 | 421456e9a60d47c2655c04bc40dee54a0c6c3a5efc3d003c0f1c7c09c313da61 |
| SHA512 | 6f94e6749664ef5c896814afcfcaded62d87283b0c1c9f3f23b74f412a77bad67f1360deee8e1e88cdb7692f8356921fbe94083d73b61e4b8a11917e30901004 |
C:\Users\Admin\AppData\Roaming\SysKeeperVLR.exe
| MD5 | c3d1f3320345e4f686f424dfc830d55e |
| SHA1 | a5f901cc9b310c033ef4a8469a691b3b3f22dc58 |
| SHA256 | 4744d244bb23331abb4bf35a693bb4354b55285a378bd1db22b13d3e61570c88 |
| SHA512 | 045a68da3a72a8eceedfe72f9dc4256a2ebc80c81e89cbe5da3ca2b958dcd41222edcc3c2c774b7847f91a525c52070a1aa778f62d372f143f87ceafaf4cb46b |
memory/4576-14-0x00007FFA208D0000-0x00007FFA20AC8000-memory.dmp
memory/4576-15-0x00007FFA208D0000-0x00007FFA20AC8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 23:19
Reported
2024-11-09 23:22
Platform
win11-20241007-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
AsyncRat
Asyncrat family
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SysKeeperVLR.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\SysKeeperVLR.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SysKeeperVLR.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "SysKeeperVLR" /tr '"C:\Users\Admin\AppData\Roaming\SysKeeperVLR.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9E92.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "SysKeeperVLR" /tr '"C:\Users\Admin\AppData\Roaming\SysKeeperVLR.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\SysKeeperVLR.exe
"C:\Users\Admin\AppData\Roaming\SysKeeperVLR.exe"
Network
| Country | Destination | Domain | Proto |
| DE | 193.161.193.99:9999 | tcp | |
| DE | 193.161.193.99:9999 | tcp | |
| DE | 193.161.193.99:9999 | tcp | |
| DE | 193.161.193.99:9999 | tcp | |
| DE | 193.161.193.99:9999 | tcp | |
| DE | 193.161.193.99:9999 | tcp | |
| DE | 193.161.193.99:9999 | tcp | |
| DE | 193.161.193.99:9999 | tcp | |
| DE | 193.161.193.99:9999 | tcp | |
| DE | 193.161.193.99:9999 | tcp | |
| DE | 193.161.193.99:9999 | tcp | |
| DE | 193.161.193.99:9999 | tcp | |
| DE | 193.161.193.99:9999 | tcp | |
| DE | 193.161.193.99:9999 | tcp | |
| DE | 193.161.193.99:9999 | tcp | |
| DE | 193.161.193.99:9999 | tcp | |
| DE | 193.161.193.99:9999 | tcp | |
| DE | 193.161.193.99:9999 | tcp | |
| DE | 193.161.193.99:9999 | tcp |
Files
memory/720-0-0x0000000074F9E000-0x0000000074F9F000-memory.dmp
memory/720-1-0x0000000000470000-0x0000000000490000-memory.dmp
memory/720-2-0x0000000074F90000-0x0000000075741000-memory.dmp
memory/720-3-0x0000000004EC0000-0x0000000004F26000-memory.dmp
memory/720-4-0x0000000005370000-0x000000000540C000-memory.dmp
memory/720-9-0x0000000074F90000-0x0000000075741000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp9E92.tmp.bat
| MD5 | fb693135860e991db6bad055dcce26ec |
| SHA1 | 273d18d4458359b7dccc436020105fda3a812438 |
| SHA256 | b5b2e1badcf0441a0158210d167f390b166681ebb830a631cae196817b7ea559 |
| SHA512 | 0bc2abb0e809368bec32dba220575ddac117ebc43d2f2f99b252f69b7d5100585124cbff273724d82bb94967ff79faf02643190cf7d16874f44768511bda3486 |
C:\Users\Admin\AppData\Roaming\SysKeeperVLR.exe
| MD5 | c3d1f3320345e4f686f424dfc830d55e |
| SHA1 | a5f901cc9b310c033ef4a8469a691b3b3f22dc58 |
| SHA256 | 4744d244bb23331abb4bf35a693bb4354b55285a378bd1db22b13d3e61570c88 |
| SHA512 | 045a68da3a72a8eceedfe72f9dc4256a2ebc80c81e89cbe5da3ca2b958dcd41222edcc3c2c774b7847f91a525c52070a1aa778f62d372f143f87ceafaf4cb46b |
memory/3696-14-0x0000000074EE0000-0x0000000075691000-memory.dmp
memory/3696-15-0x0000000074EE0000-0x0000000075691000-memory.dmp