Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2024 18:59
Static task
static1
Behavioral task
behavioral1
Sample
9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.exe
Resource
win7-20240903-en
General
-
Target
9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.exe
-
Size
238KB
-
MD5
9d1e589ea8c4b3c59d3fb46afa940da5
-
SHA1
817bf841284e0279d15cb27f73a0939344dfb811
-
SHA256
9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed
-
SHA512
a7db38a58cf9580c987fe6c3293dc279a67458850862d86d0cc60fb7c9213bf92311be2a8ac44ae055fd24619df8f76d33f32835a254d386e4e53e2602d63ac2
-
SSDEEP
3072:/Yzwrq5J9SwHMFF9Kw/kxLk42s/8Y31/Yvi9GA54IkMwP5gMTmmsolNIrRuw+mqM:A9zHMFF9KxLp8YFgvwmZrTmDAN
Malware Config
Extracted
asyncrat
0.5.8
Default
54.253.7.109:4447
XqcNee3124zJ
-
delay
21
-
install
true
-
install_file
service.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4640-2-0x0000000002490000-0x00000000024A2000-memory.dmp family_asyncrat behavioral2/memory/1976-16-0x0000000002920000-0x0000000002932000-memory.dmp family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.exe -
Executes dropped EXE 1 IoCs
Processes:
service.exepid Process 1976 service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
schtasks.exeservice.exe9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.execmd.execmd.exetimeout.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid Process 3828 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.exepid Process 4640 9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.exe 4640 9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.exe 4640 9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.exe 4640 9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.exe 4640 9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.exe 4640 9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.exe 4640 9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.exe 4640 9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.exe 4640 9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.exe 4640 9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.exe 4640 9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.exe 4640 9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.exe 4640 9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.exe 4640 9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.exe 4640 9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.exe 4640 9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.exe 4640 9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.exe 4640 9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.exe 4640 9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.exe 4640 9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.exe 4640 9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.exe 4640 9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.exe 4640 9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.exeservice.exedescription pid Process Token: SeDebugPrivilege 4640 9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.exe Token: SeDebugPrivilege 1976 service.exe Token: SeDebugPrivilege 1976 service.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.execmd.execmd.exedescription pid Process procid_target PID 4640 wrote to memory of 2064 4640 9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.exe 97 PID 4640 wrote to memory of 2064 4640 9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.exe 97 PID 4640 wrote to memory of 2064 4640 9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.exe 97 PID 4640 wrote to memory of 2836 4640 9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.exe 99 PID 4640 wrote to memory of 2836 4640 9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.exe 99 PID 4640 wrote to memory of 2836 4640 9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.exe 99 PID 2064 wrote to memory of 2152 2064 cmd.exe 101 PID 2064 wrote to memory of 2152 2064 cmd.exe 101 PID 2064 wrote to memory of 2152 2064 cmd.exe 101 PID 2836 wrote to memory of 3828 2836 cmd.exe 102 PID 2836 wrote to memory of 3828 2836 cmd.exe 102 PID 2836 wrote to memory of 3828 2836 cmd.exe 102 PID 2836 wrote to memory of 1976 2836 cmd.exe 104 PID 2836 wrote to memory of 1976 2836 cmd.exe 104 PID 2836 wrote to memory of 1976 2836 cmd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.exe"C:\Users\Admin\AppData\Local\Temp\9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "service" /tr '"C:\Users\Admin\AppData\Roaming\service.exe"' & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "service" /tr '"C:\Users\Admin\AppData\Roaming\service.exe"'3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2152
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD35D.tmp.bat""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3828
-
-
C:\Users\Admin\AppData\Roaming\service.exe"C:\Users\Admin\AppData\Roaming\service.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1976
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151B
MD5c192ce791c5e1707bb5b1f811b45e8a0
SHA1ad32a5c7a2570d75783521e1355c9cdbf64c7c0a
SHA256f8f92c2d3bf55ca6d7ca522a14eb601e979a67ca1bd369f009c9d683dd923b7b
SHA51202cb33742262487c5dd90be9df941051851920b194c9c779388ba2b04cf18c8bfb9a10447bff61b422f35670a8cf5a44b05a4bca90269009ff1686dce427487f
-
Filesize
238KB
MD59d1e589ea8c4b3c59d3fb46afa940da5
SHA1817bf841284e0279d15cb27f73a0939344dfb811
SHA2569164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed
SHA512a7db38a58cf9580c987fe6c3293dc279a67458850862d86d0cc60fb7c9213bf92311be2a8ac44ae055fd24619df8f76d33f32835a254d386e4e53e2602d63ac2