Overview

overview

10

Static

static

3

script_rus...un.exe

windows7-x64

10

script_rus...un.exe

windows10-2004-x64

10

script_rust.exe

windows7-x64

1

script_rust.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 04:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    script_rust Autogun.exe

  • Size

    158KB

  • MD5

    e2a386c9361821a799e06ec0d2bd00d4

  • SHA1

    8c021c9435c6dd9afa0fc831f6d678c070fa569b

  • SHA256

    ad09b83fa9f8d736fad4a986c8163715d5527610929d9f0f7afd1db28824288c

  • SHA512

    246154bf280f4d92c1f61fc5705e4258a82602f566135caec6e54e6e531215f3aac51470cd3e58a69e6eea0d0b9595c180c5db9b90ebd2616c9aca3ed4f3f9fc

  • SSDEEP

    3072:z5RpQAYz728HyfLAp5evKcoOGSyViThMRKXBwLs/z0wKLA0WeGZ0gTypY:tnvYz728YPjgKXAs/sLA0W9ZX

Score
10/10
asyncratpourat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Pou

Mutex

R4rg

Attributes
  • delay

    1

  • install

    true

  • install_file

    Runtime Broker.exe

  • install_folder

    %Temp%

  • pastebin_config

    https://pastebin.com/raw/SctPUR4x

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\script_rust Autogun.exe
    "C:\Users\Admin\AppData\Local\Temp\script_rust Autogun.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4736
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Runtime Broker" /tr '"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1488
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "Runtime Broker" /tr '"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"'
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2644
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7F90.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:440
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:2016
      • C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
        "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3272

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
    Filesize

    158KB

    MD5

    e2a386c9361821a799e06ec0d2bd00d4

    SHA1

    8c021c9435c6dd9afa0fc831f6d678c070fa569b

    SHA256

    ad09b83fa9f8d736fad4a986c8163715d5527610929d9f0f7afd1db28824288c

    SHA512

    246154bf280f4d92c1f61fc5705e4258a82602f566135caec6e54e6e531215f3aac51470cd3e58a69e6eea0d0b9595c180c5db9b90ebd2616c9aca3ed4f3f9fc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp7F90.tmp.bat
    Filesize

    161B

    MD5

    cbe0c533d3cfb3511640aef0b211faa6

    SHA1

    383eb0e6cdacd175810368c5888eadc57050b791

    SHA256

    8b815ad9879e86483ea1865a188b8760d7716ce1b15ae0fcc078c97db00086de

    SHA512

    e7ccf1a3fdbafc310ef63f943e448d2375bea2ba3a2fe40da040411161f3790686dd87911f6434f935c6eb0b0ab3aa491d8ffbc7d61fc8777c05300950bdc128

    Download Submit

  • memory/4736-6-0x000002AC77480000-0x000002AC77496000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4736-3-0x000002AC76C00000-0x000002AC76C1A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4736-4-0x00007FFCD91D0000-0x00007FFCD9C91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4736-5-0x00007FFCD91D0000-0x00007FFCD9C91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4736-0-0x00007FFCD91D3000-0x00007FFCD91D5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4736-7-0x00007FFCD91D0000-0x00007FFCD9C91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4736-8-0x00007FFCD91D0000-0x00007FFCD9C91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4736-14-0x00007FFCD91D0000-0x00007FFCD9C91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4736-15-0x00007FFCD91D0000-0x00007FFCD9C91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4736-2-0x000002AC76B60000-0x000002AC76B68000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4736-1-0x000002AC74FE0000-0x000002AC7500E000-memory.dmp

    Filesize

    184KB

    Download