Overview

overview

10

Static

static

10

V3xSolarafixer.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    206s
  • max time network
    208s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    20-11-2024 17:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    V3xSolarafixer.exe

  • Size

    63KB

  • MD5

    50d116e9767adfb337a4102c5cc454f6

  • SHA1

    72a09cb78c5bf8cef60749d3de5d49e9aff181ca

  • SHA256

    1a36fec822c22bf439fc2d4355d3baf53dece6eebc94ffdb2f1ae213e9691a1a

  • SHA512

    75b805ee405105f2c069234f4252553cacfe21de86b78cdbe36b4bbeb77326553c9d9d0e63b27fae7277e0886b06d84db5fc2a7d3b1aec06f51eeac8d6402428

  • SSDEEP

    768:QE85qOJnVh78b8C8A+Xw9rb3Da5tvWmEe1+T4kSBGHmDbDqph5oXyEotA3SuUdph:K9VvTt+mBXYUb0hYyKiuUdpqKmY7

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

193.161.193.99:36700

Attributes
  • delay

    1

  • install

    true

  • install_file

    syskprvalr.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\V3xSolarafixer.exe
    "C:\Users\Admin\AppData\Local\Temp\V3xSolarafixer.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "syskprvalr" /tr '"C:\Users\Admin\AppData\Roaming\syskprvalr.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1180
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "syskprvalr" /tr '"C:\Users\Admin\AppData\Roaming\syskprvalr.exe"'
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:564
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp93B1.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:4880
      • C:\Users\Admin\AppData\Roaming\syskprvalr.exe
        "C:\Users\Admin\AppData\Roaming\syskprvalr.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:872
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1004
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
    1⤵
      PID:3892
    • C:\Windows\system32\BackgroundTransferHost.exe
      "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
      1⤵
      • Modifies registry class
      PID:1832

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\85826edc-3721-4bc0-8c00-bf135050eabd.down_data
      Filesize

      555KB

      MD5

      5683c0028832cae4ef93ca39c8ac5029

      SHA1

      248755e4e1db552e0b6f8651b04ca6d1b31a86fb

      SHA256

      855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

      SHA512

      aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
      Filesize

      10KB

      MD5

      fbbd10b5151e4365bceb3190d826c524

      SHA1

      45a77c1d88151d54383047d84019bc9e84cfa0c8

      SHA256

      4400d61bcd5543a3123ae53baff8863336555d96350ec33ce9a3f8242917cbb3

      SHA512

      32404e11daf2116efd194a65a96c24d83c8b0f1eed80ae63d6077d26e8b51f636db993e98474257fb2aa262d87b6ce6219fdf8f2162b4fd179a3e95c9dbee7f9

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
      Filesize

      10KB

      MD5

      d6d3499e5dfe058db4af5745e6885661

      SHA1

      ef47b148302484d5ab98320962d62565f88fcc18

      SHA256

      7ec1b67f891fb646b49853d91170fafc67ff2918befd877dcc8515212be560f6

      SHA512

      ad1646c13f98e6915e51bfba9207b81f6d1d174a1437f9c1e1c935b7676451ff73a694323ff61fa72ec87b7824ce9380423533599e30d889b689e2e13887045f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp93B1.tmp.bat
      Filesize

      154B

      MD5

      4cdbac7cf793f3f62867ec8b9efaca87

      SHA1

      f5f9dc21a10f3dcadd58b8f6dd62e801ae791b70

      SHA256

      81f84b51e25848288adbe41be25218edb67246844d23e6b81f5d4b5ed85fd09e

      SHA512

      95414a7aa608482708052f88bc4f83489f4232acc7b7fbb82058a5c90d9e65805c0f63850c20a58076a10f62f4cdafcb678431cf261cf9502f988b8eee0a06e2

      Download Submit

    • C:\Users\Admin\AppData\Roaming\syskprvalr.exe
      Filesize

      63KB

      MD5

      50d116e9767adfb337a4102c5cc454f6

      SHA1

      72a09cb78c5bf8cef60749d3de5d49e9aff181ca

      SHA256

      1a36fec822c22bf439fc2d4355d3baf53dece6eebc94ffdb2f1ae213e9691a1a

      SHA512

      75b805ee405105f2c069234f4252553cacfe21de86b78cdbe36b4bbeb77326553c9d9d0e63b27fae7277e0886b06d84db5fc2a7d3b1aec06f51eeac8d6402428

      Download Submit

    • memory/872-17-0x0000000002E50000-0x0000000002E6E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/872-15-0x000000001CCF0000-0x000000001CD66000-memory.dmp

      Filesize

      472KB

      Download

    • memory/872-16-0x0000000002E20000-0x0000000002E54000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2692-8-0x00007FFC29B30000-0x00007FFC2A5F2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2692-0-0x00007FFC29B33000-0x00007FFC29B35000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2692-3-0x00007FFC29B30000-0x00007FFC2A5F2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2692-2-0x00007FFC29B30000-0x00007FFC2A5F2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2692-1-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download