Overview

overview

10

Static

static

3

Demanda No...08.exe

windows7-x64

3

Demanda No...08.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    179s
  • max time network
    181s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-11-2024 14:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Demanda No 2024-125421208.exe

  • Size

    363KB

  • MD5

    b6241e5b33792a2e0dd50c64ec3b02cc

  • SHA1

    fb42827ef55f27a81226d8f4d79be7c018646089

  • SHA256

    148806d795bae49568e4f2be94b53f067b6ee1aa67a5ecd9cb9ac21ea60a37f5

  • SHA512

    8cd94183b1696fae1862bfa0c3a254ee9d14f5d101c2a822c1058afe67edb469980b8937227a3da578fb1a968287f59858f6572de8629d91d7d0ab7ebaa70aaa

  • SSDEEP

    3072:rWWe7EIwyZUFSxwpzwr7xZppZsyeKjuOuVk9FB6mIqloS7rOCovd25UvWdITg/tX:AZHewr7TxsxKxFcm3frzovd2eGOgmK

Score
10/10
asyncratn12discoveryexecutionrat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

N12

C2

nuevodcsrathjd.duckdns.org:8081

Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Start PowerShell.

    execution
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 35 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Demanda No 2024-125421208.exe
    "C:\Users\Admin\AppData\Local\Temp\Demanda No 2024-125421208.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3768
    • C:\Users\Admin\AppData\Local\NVIDIA.exe
      "C:\Users\Admin\AppData\Local\NVIDIA.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3188
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1968
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\remcos_a.exe"' & exit
          4⤵
            PID:1096
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\remcos_a.exe"'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              PID:4020
        • C:\Users\Admin\AppData\Local\Temp\NVIDIA.exe
          "C:\Users\Admin\AppData\Local\Temp\NVIDIA.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2668
          • C:\Users\Admin\AppData\Local\Temp\NVIDIA.exe
            "C:\Users\Admin\AppData\Local\Temp\NVIDIA.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1164

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NVIDIA.exe.log
      Filesize

      1KB

      MD5

      7dca233df92b3884663fa5a40db8d49c

      SHA1

      208b8f27b708c4e06ac37f974471cc7b29c29b60

      SHA256

      90c83311e35da0b5f8aa65aa2109745feb68ee9540e863f4ed909872e9c6a84c

      SHA512

      d134b96fd33c79c85407608f76afc5a9f937bff453b1c90727a3ed992006c7d4c8329be6a2b5ba6b11da1a32f7cd60e9bc380be388b586d6cd5c2e6b1f57bd07

      Download Submit

    • C:\Users\Admin\AppData\Local\NVIDIA.exe
      Filesize

      363KB

      MD5

      b6241e5b33792a2e0dd50c64ec3b02cc

      SHA1

      fb42827ef55f27a81226d8f4d79be7c018646089

      SHA256

      148806d795bae49568e4f2be94b53f067b6ee1aa67a5ecd9cb9ac21ea60a37f5

      SHA512

      8cd94183b1696fae1862bfa0c3a254ee9d14f5d101c2a822c1058afe67edb469980b8937227a3da578fb1a968287f59858f6572de8629d91d7d0ab7ebaa70aaa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\NVIDIA.exe
      Filesize

      76KB

      MD5

      0e362e7005823d0bec3719b902ed6d62

      SHA1

      590d860b909804349e0cdc2f1662b37bd62f7463

      SHA256

      2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

      SHA512

      518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\NVIDIA.txt
      Filesize

      50B

      MD5

      7565d02e1758ba63bc4ac3b6dd767bc8

      SHA1

      cc51c7dd84dfbe930f48b59769107572aa034d1a

      SHA256

      e8690bd295644d2e305a7e485103399e7e6333ff88ef91ec0659ced5ccff912f

      SHA512

      8a9b9e4fcc119f94a4ba40e6caa60c66f36de2031ac1dea67ee02e1f7a1903f47c006437f76a9675e5974918cfc69529e3a1973dc471ddba823e6425784d507c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\NVIDIA.txt
      Filesize

      53B

      MD5

      75c654866a8395e6b7dd9e851f752ff1

      SHA1

      7a1550b035c06c0be48f0e1635db7ef371563ec7

      SHA256

      51ec61e3ca7a6bb2b3e31596536ff3febfbe5126e3fe22690c73aaab6140970e

      SHA512

      1391c22f211333575f53d6eef50c8b61817b8043d57a82b50a13bb5d20edeec001300c6fea4c1e20fa6ae8c2ed326e62e16c9ace9d91745aea7ec19463f30655

      Download Submit

    • memory/1968-61-0x0000000006D60000-0x0000000006DD6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1968-59-0x0000000005B80000-0x0000000005BE6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1968-60-0x0000000074F70000-0x0000000075720000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1968-62-0x0000000006CE0000-0x0000000006CEC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1968-63-0x0000000006D40000-0x0000000006D5E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1968-39-0x0000000074F70000-0x0000000075720000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1968-36-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2668-50-0x0000000000BB0000-0x0000000000BCA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3188-30-0x0000000074F70000-0x0000000075720000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3188-34-0x0000000006050000-0x000000000606A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3188-26-0x0000000074F70000-0x0000000075720000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3188-27-0x00000000006E0000-0x0000000000740000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3188-29-0x0000000074F70000-0x0000000075720000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3188-35-0x0000000006070000-0x0000000006076000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3188-31-0x0000000074F70000-0x0000000075720000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3188-32-0x0000000074F70000-0x0000000075720000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3188-33-0x0000000074F70000-0x0000000075720000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3768-10-0x00000000097D0000-0x00000000097DA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3768-5-0x0000000074F70000-0x0000000075720000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3768-12-0x0000000074F70000-0x0000000075720000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3768-11-0x0000000074F70000-0x0000000075720000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3768-28-0x0000000074F70000-0x0000000075720000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3768-9-0x0000000010000000-0x0000000010092000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3768-8-0x00000000049C0000-0x00000000049C6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3768-7-0x0000000010410000-0x00000000109B4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3768-6-0x00000000094D0000-0x0000000009792000-memory.dmp

      Filesize

      2.8MB

      Download

    • memory/3768-0-0x0000000074F7E000-0x0000000074F7F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3768-4-0x0000000074F7E000-0x0000000074F7F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3768-3-0x0000000074F70000-0x0000000075720000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3768-2-0x0000000004F30000-0x0000000004FCC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3768-1-0x00000000003D0000-0x0000000000430000-memory.dmp

      Filesize

      384KB

      Download

    • memory/4020-65-0x00000000030C0000-0x00000000030F6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4020-66-0x0000000005B70000-0x0000000006198000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4020-67-0x0000000005A00000-0x0000000005A22000-memory.dmp

      Filesize

      136KB

      Download