Overview

overview

10

Static

static

3

6fed9ac910...2e.exe

windows7-x64

10

6fed9ac910...2e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-11-2024 02:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6fed9ac910b4570ce24f3d4230fbe550f181ad5f1ab089725e3eb9f7e8142f2e.exe

  • Size

    1.6MB

  • MD5

    166d084ca362984e8c8759c77644963e

  • SHA1

    2a020dd02a2882c9a785ea5f81e435413f90bf36

  • SHA256

    6fed9ac910b4570ce24f3d4230fbe550f181ad5f1ab089725e3eb9f7e8142f2e

  • SHA512

    ddce968417460650561dcbfd9d61c413fc5bff892a4b0263aeed911f07954d57d1413af35a73d45edbdb4975e59eecbb782be20b5097c2e781295e95b08c770a

  • SSDEEP

    12288:Pvql1LFyp0Qgxun0rYe6MrQKrKFPyvrvA7fP:gL8/gx16MrQKrgPyvbA7P

Score
10/10
asyncratdefaultdiscoveryevasionexecutionrattrojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

95.179.135.209:1989

Mutex

FhYe09MKTBbQ

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\6fed9ac910b4570ce24f3d4230fbe550f181ad5f1ab089725e3eb9f7e8142f2e.exe
    "C:\Users\Admin\AppData\Local\Temp\6fed9ac910b4570ce24f3d4230fbe550f181ad5f1ab089725e3eb9f7e8142f2e.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:596
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\6fed9ac910b4570ce24f3d4230fbe550f181ad5f1ab089725e3eb9f7e8142f2e.exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2304
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2088
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 596 -s 792
      2⤵
        PID:1712

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/596-0-0x000007FEF5BD3000-0x000007FEF5BD4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/596-1-0x0000000000EA0000-0x0000000000EA8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/596-2-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/596-3-0x0000000000C80000-0x0000000000CE4000-memory.dmp

      Filesize

      400KB

      Download

    • memory/596-21-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2088-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2088-15-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2088-17-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2088-11-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2088-10-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2088-9-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2088-8-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2088-13-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2304-18-0x0000000002A90000-0x0000000002B10000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2304-19-0x000000001B7B0000-0x000000001BA92000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2304-20-0x0000000002240000-0x0000000002248000-memory.dmp

      Filesize

      32KB

      Download