General
-
Target
PO-341999-PDF.exe
-
Size
1.6MB
-
Sample
241114-p724wsynfw
-
MD5
166d084ca362984e8c8759c77644963e
-
SHA1
2a020dd02a2882c9a785ea5f81e435413f90bf36
-
SHA256
6fed9ac910b4570ce24f3d4230fbe550f181ad5f1ab089725e3eb9f7e8142f2e
-
SHA512
ddce968417460650561dcbfd9d61c413fc5bff892a4b0263aeed911f07954d57d1413af35a73d45edbdb4975e59eecbb782be20b5097c2e781295e95b08c770a
-
SSDEEP
12288:Pvql1LFyp0Qgxun0rYe6MrQKrKFPyvrvA7fP:gL8/gx16MrQKrgPyvbA7P
Static task
static1
Behavioral task
behavioral1
Sample
PO-341999-PDF.exe
Resource
win7-20240729-en
Malware Config
Extracted
asyncrat
0.5.8
Default
95.179.135.209:1989
FhYe09MKTBbQ
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
PO-341999-PDF.exe
-
Size
1.6MB
-
MD5
166d084ca362984e8c8759c77644963e
-
SHA1
2a020dd02a2882c9a785ea5f81e435413f90bf36
-
SHA256
6fed9ac910b4570ce24f3d4230fbe550f181ad5f1ab089725e3eb9f7e8142f2e
-
SHA512
ddce968417460650561dcbfd9d61c413fc5bff892a4b0263aeed911f07954d57d1413af35a73d45edbdb4975e59eecbb782be20b5097c2e781295e95b08c770a
-
SSDEEP
12288:Pvql1LFyp0Qgxun0rYe6MrQKrKFPyvrvA7fP:gL8/gx16MrQKrgPyvbA7P
-
Asyncrat family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4