Analysis Overview
SHA256
0b29711ec115c27f4cd6963b9ea1e4febf15624f1c17d1c018611ee3df8c333c
Threat Level: Known bad
The file COMPILED.zip was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Async RAT payload
Asyncrat family
Executes dropped EXE
Unsigned PE
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SendNotifyMessage
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 06:46
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-13 06:46
Reported
2024-11-13 06:49
Platform
win11-20241007-es
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Plugins\FileSearcher.dll,#1
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-13 06:46
Reported
2024-11-13 06:49
Platform
win11-20241007-es
Max time kernel
91s
Max time network
95s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Plugins\LimeLogger.dll,#1
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-13 06:46
Reported
2024-11-13 06:49
Platform
win11-20241007-es
Max time kernel
91s
Max time network
93s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Plugins\Options.dll,#1
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-13 06:46
Reported
2024-11-13 06:49
Platform
win11-20241007-es
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Plugins\ProcessManager.dll,#1
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-13 06:46
Reported
2024-11-13 06:49
Platform
win11-20241007-es
Max time kernel
90s
Max time network
95s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31143405" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "1687892800" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5084 wrote to memory of 1800 | N/A | C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE | C:\Program Files\Internet Explorer\iexplore.exe |
| PID 5084 wrote to memory of 1800 | N/A | C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE | C:\Program Files\Internet Explorer\iexplore.exe |
Processes
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe.xml"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe.xml
Network
Files
memory/5084-0-0x00007FFE9FB50000-0x00007FFE9FB60000-memory.dmp
memory/5084-3-0x00007FFEDFB63000-0x00007FFEDFB64000-memory.dmp
memory/5084-4-0x00007FFE9FB50000-0x00007FFE9FB60000-memory.dmp
memory/5084-1-0x00007FFE9FB50000-0x00007FFE9FB60000-memory.dmp
memory/5084-2-0x00007FFE9FB50000-0x00007FFE9FB60000-memory.dmp
memory/5084-6-0x00007FFEDFAC0000-0x00007FFEDFCC9000-memory.dmp
memory/5084-5-0x00007FFE9FB50000-0x00007FFE9FB60000-memory.dmp
memory/5084-8-0x00007FFEDFAC0000-0x00007FFEDFCC9000-memory.dmp
memory/5084-7-0x00007FFEDFAC0000-0x00007FFEDFCC9000-memory.dmp
memory/5084-9-0x00007FFEDFAC0000-0x00007FFEDFCC9000-memory.dmp
memory/5084-10-0x00007FFEDFAC0000-0x00007FFEDFCC9000-memory.dmp
memory/5084-11-0x00007FFEDFAC0000-0x00007FFEDFCC9000-memory.dmp
memory/5084-12-0x00007FFEDFAC0000-0x00007FFEDFCC9000-memory.dmp
memory/5084-13-0x00007FFEDFAC0000-0x00007FFEDFCC9000-memory.dmp
memory/5084-14-0x00007FFEDFAC0000-0x00007FFEDFCC9000-memory.dmp
memory/5084-16-0x00007FFEDFAC0000-0x00007FFEDFCC9000-memory.dmp
memory/5084-21-0x00007FFE9FB50000-0x00007FFE9FB60000-memory.dmp
memory/5084-20-0x00007FFE9FB50000-0x00007FFE9FB60000-memory.dmp
memory/5084-22-0x00007FFEDFAC0000-0x00007FFEDFCC9000-memory.dmp
memory/5084-19-0x00007FFE9FB50000-0x00007FFE9FB60000-memory.dmp
memory/5084-18-0x00007FFE9FB50000-0x00007FFE9FB60000-memory.dmp
memory/5084-17-0x00007FFEDFAC0000-0x00007FFEDFCC9000-memory.dmp
memory/5084-15-0x00007FFEDFAC0000-0x00007FFEDFCC9000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 06:46
Reported
2024-11-13 06:49
Platform
win11-20241007-es
Max time kernel
143s
Max time network
94s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4908 wrote to memory of 1100 | N/A | C:\Program Files\7-Zip\7zFM.exe | C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe |
| PID 4908 wrote to memory of 1100 | N/A | C:\Program Files\7-Zip\7zFM.exe | C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\COMPILED.zip"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe
"C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe
"C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
Files
C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe
| MD5 | 97a429c4b6a2cb95ece0ddb24c3c2152 |
| SHA1 | 6fcc26793dd474c0c7113b3360ff29240d9a9020 |
| SHA256 | 06899071233d61009a64c726a4523aa13d81c2517a0486cc99ac5931837008e5 |
| SHA512 | 524a63f39e472bd052a258a313ff4f2005041b31f11da4774d3d97f72773f3edb40df316fa9cc2a0f51ea5d8ac404cfdd486bab6718bae60f0d860e98e533f89 |
memory/1100-12-0x00007FF9AD6E3000-0x00007FF9AD6E5000-memory.dmp
memory/1100-13-0x0000021789500000-0x0000021789B6A000-memory.dmp
memory/1100-15-0x00000217A4240000-0x00000217A4492000-memory.dmp
memory/1100-16-0x00007FF9AD6E0000-0x00007FF9AE1A2000-memory.dmp
memory/1100-17-0x00007FF9AD6E3000-0x00007FF9AD6E5000-memory.dmp
memory/1100-18-0x00007FF9AD6E0000-0x00007FF9AE1A2000-memory.dmp
memory/1100-20-0x00007FF9AD6E0000-0x00007FF9AE1A2000-memory.dmp
C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe.config
| MD5 | cb1f2dcfeb5cbb5af8efa7ea40b8e908 |
| SHA1 | ceb040761554040cac2fc7ca18623498d3bfc7ce |
| SHA256 | 58f956abe9d717683f4a1cfa6f70e256c80461315a8d47b6456116b3d3075372 |
| SHA512 | f0d805bb7983a111b7083e08d5e53c30dd78a0a5fa2baa2af6c5d3395475a3399fd085d151cc8cce312c7eb3e11ac7c2cc78c49ff8a9bfba4b6ad6585caeaeea |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AsyncRAT.exe.log
| MD5 | b4e91d2e5f40d5e2586a86cf3bb4df24 |
| SHA1 | 31920b3a41aa4400d4a0230a7622848789b38672 |
| SHA256 | 5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210 |
| SHA512 | 968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319 |
memory/4600-90-0x000002927BB30000-0x000002927BB3A000-memory.dmp
memory/4600-91-0x000002927BAA0000-0x000002927BAB2000-memory.dmp
memory/4600-92-0x000002927DCE0000-0x000002927DF60000-memory.dmp
memory/4600-100-0x000002927BCA0000-0x000002927BDA2000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-13 06:46
Reported
2024-11-13 06:49
Platform
win11-20241007-es
Max time kernel
90s
Max time network
94s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Plugins\Recovery.dll,#1
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-13 06:46
Reported
2024-11-13 06:49
Platform
win11-20241007-es
Max time kernel
91s
Max time network
95s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Plugins\Miscellaneous.dll,#1
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-13 06:46
Reported
2024-11-13 06:49
Platform
win11-20241007-es
Max time kernel
91s
Max time network
94s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Plugins\RemoteCamera.dll,#1
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-11-13 06:46
Reported
2024-11-13 06:49
Platform
win11-20241007-es
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Plugins\SendFile.dll,#1
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-11-13 06:46
Reported
2024-11-13 06:49
Platform
win11-20241007-es
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Plugins\SendMemory.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-11-13 06:46
Reported
2024-11-13 06:49
Platform
win11-20241007-es
Max time kernel
92s
Max time network
94s
Command Line
Signatures
AsyncRat
Asyncrat family
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Stub\Stub.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Stub\Stub.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Stub\Stub.exe
"C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Stub\Stub.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1140 -ip 1140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 824
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/1140-0-0x000000007460E000-0x000000007460F000-memory.dmp
memory/1140-1-0x00000000006D0000-0x00000000006E0000-memory.dmp
memory/1140-2-0x00000000055A0000-0x00000000056A2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 06:46
Reported
2024-11-13 06:49
Platform
win11-20241007-es
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe
"C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/2740-0-0x00007FFD6EF13000-0x00007FFD6EF15000-memory.dmp
memory/2740-1-0x0000029707B10000-0x000002970817A000-memory.dmp
memory/2740-3-0x0000029722AB0000-0x0000029722D02000-memory.dmp
memory/2740-4-0x00007FFD6EF10000-0x00007FFD6F9D2000-memory.dmp
memory/2740-5-0x00007FFD6EF10000-0x00007FFD6F9D2000-memory.dmp
memory/2740-6-0x00000297229D0000-0x00000297229DA000-memory.dmp
memory/2740-7-0x00007FFD6EF10000-0x00007FFD6F9D2000-memory.dmp
memory/2740-10-0x00000297229A0000-0x00000297229B2000-memory.dmp
memory/2740-11-0x0000029725800000-0x0000029725A80000-memory.dmp
memory/2740-12-0x00007FFD6EF13000-0x00007FFD6EF15000-memory.dmp
memory/2740-13-0x00007FFD6EF10000-0x00007FFD6F9D2000-memory.dmp
C:\Users\Admin\AppData\Local\Server\AsyncRAT.exe_Url_bsozgjfh10ettuvlzzecwz2b2kv3ubbv\0.5.8.0\user.config
| MD5 | f71f55112253acc1ef2ecd0a61935970 |
| SHA1 | faa9d50656e386e460278d31b1d9247fdd947bb7 |
| SHA256 | d1ad588a08c8c0799d7a14509f1e0a7ae04c519102ed9d328a83fe65999e6179 |
| SHA512 | 761b5c13e39bd4ae21d298084bbe747ae71c383fedf9a51fd5e9723a8b3b4547de459d82bac7f3f8f3bfc11cfb0528a4f1057b51996d7d046583109a53317b44 |
memory/2740-32-0x00007FFD6EF10000-0x00007FFD6F9D2000-memory.dmp
memory/2740-33-0x00007FFD6EF10000-0x00007FFD6F9D2000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-13 06:46
Reported
2024-11-13 06:49
Platform
win11-20241007-es
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Plugins\FileManager.dll,#1
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-13 06:46
Reported
2024-11-13 06:49
Platform
win11-20241007-es
Max time kernel
90s
Max time network
94s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Plugins\RemoteDesktop.dll,#1
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-13 06:46
Reported
2024-11-13 06:49
Platform
win11-20241007-es
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Plugins\Chat.dll,#1
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-13 06:46
Reported
2024-11-13 06:49
Platform
win11-20241007-es
Max time kernel
91s
Max time network
94s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Plugins\Extra.dll,#1