Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22-11-2024 00:53
General
-
Target
Infected.exe
-
Size
63KB
-
MD5
9efaf6b98fdde9df4532d1236b60619f
-
SHA1
5d1414d09d54de16b04cd0cd05ccfc0692588fd1
-
SHA256
7c8a5e6cf4e451d61157e113f431a1f3e606fba0e7147ffa9a8f429cb60e47d6
-
SHA512
eabc2c58a7b2d636f13b149199f2dc943c4af3296c5a4605b72293294a449a2ea8da432238748ca2fb69fb944a31ac6fae7e5310cdc57609e5955f62b71e812d
-
SSDEEP
768:PHMvlKazXYN78NwC8A+XuqazcBRL5JTk1+T4KSBGHmDbD/ph0oXtKnk+SusdpqKX:EtTXA9dSJYUbdh9dJusdpqKmY7
Malware Config
Extracted
asyncrat
Default
forums-appliances.gl.at.ply.gg:1962
-
delay
1
-
install
true
-
install_file
windows.exe
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Async RAT payload 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Infected.exe"C:\Users\Admin\AppData\Local\Temp\Infected.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windows" /tr '"C:\Users\Admin\AppData\Roaming\windows.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "windows" /tr '"C:\Users\Admin\AppData\Roaming\windows.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9F99.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\windows.exe"C:\Users\Admin\AppData\Roaming\windows.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
151B
MD546d94699bb016a8ae3ff9462e845470e
SHA132f7d5b9090c7a7f2473ff6712660173b3c6b3ce
SHA25686d17f9799768e4b699dcbdebd70085134e66bc3c6fbad672cc07722c36f8d27
SHA512e2db075f08a1139bf0ea98f16113d54fe87798975dc5b90fe65359d406ae153443e9e2c1bd9971fcc08341950f47467686502212bc205ce7dd84524978b1cfa7
-
Filesize
63KB
MD59efaf6b98fdde9df4532d1236b60619f
SHA15d1414d09d54de16b04cd0cd05ccfc0692588fd1
SHA2567c8a5e6cf4e451d61157e113f431a1f3e606fba0e7147ffa9a8f429cb60e47d6
SHA512eabc2c58a7b2d636f13b149199f2dc943c4af3296c5a4605b72293294a449a2ea8da432238748ca2fb69fb944a31ac6fae7e5310cdc57609e5955f62b71e812d
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
88KB