Analysis
-
max time kernel
90s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-12-2024 10:45
Static task
static1
Behavioral task
behavioral1
Sample
1E45D6ABB8FA749D0FDE3EADD586E637.exe
Resource
win7-20240903-en
General
-
Target
1E45D6ABB8FA749D0FDE3EADD586E637.exe
-
Size
258KB
-
MD5
1e45d6abb8fa749d0fde3eadd586e637
-
SHA1
4a961b4a92fa3fb1265f729d18f2f0638cba018a
-
SHA256
d21a63a1bcc5afdc0eb4b00e6b82af4bdf1f634e50d0d51001a4c27ac7f84379
-
SHA512
58f30c478856230c16ae7bb8425e32e0dce23d927de1d7d4697400617609a3f5dfd9ceca98426b05e240ae515ba5408af569714c9d95e17652c0e83406762900
-
SSDEEP
3072:Xxjla5113NyCzPWYykCbXCfe8jtgszyAVibmbJ30U11xjZjsDQBxQh68:XZla513yAykOyG2gszyjm1EUTEDO
Malware Config
Extracted
asyncrat
0.5.7B
Default
2.56.179.212:4445
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
THK.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1E45D6ABB8FA749D0FDE3EADD586E637.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 1E45D6ABB8FA749D0FDE3EADD586E637.exe -
Executes dropped EXE 3 IoCs
Processes:
THK.exeTHK.exeTHK.exepid Process 832 THK.exe 1672 THK.exe 4208 THK.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
1E45D6ABB8FA749D0FDE3EADD586E637.exeTHK.exedescription pid Process procid_target PID 2696 set thread context of 952 2696 1E45D6ABB8FA749D0FDE3EADD586E637.exe 85 PID 832 set thread context of 4208 832 THK.exe 95 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
THK.exeTHK.exe1E45D6ABB8FA749D0FDE3EADD586E637.exe1E45D6ABB8FA749D0FDE3EADD586E637.execmd.execmd.exeschtasks.exetimeout.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language THK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language THK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1E45D6ABB8FA749D0FDE3EADD586E637.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1E45D6ABB8FA749D0FDE3EADD586E637.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid Process 4384 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
1E45D6ABB8FA749D0FDE3EADD586E637.exeTHK.exepid Process 952 1E45D6ABB8FA749D0FDE3EADD586E637.exe 952 1E45D6ABB8FA749D0FDE3EADD586E637.exe 952 1E45D6ABB8FA749D0FDE3EADD586E637.exe 952 1E45D6ABB8FA749D0FDE3EADD586E637.exe 952 1E45D6ABB8FA749D0FDE3EADD586E637.exe 952 1E45D6ABB8FA749D0FDE3EADD586E637.exe 952 1E45D6ABB8FA749D0FDE3EADD586E637.exe 952 1E45D6ABB8FA749D0FDE3EADD586E637.exe 952 1E45D6ABB8FA749D0FDE3EADD586E637.exe 952 1E45D6ABB8FA749D0FDE3EADD586E637.exe 952 1E45D6ABB8FA749D0FDE3EADD586E637.exe 952 1E45D6ABB8FA749D0FDE3EADD586E637.exe 952 1E45D6ABB8FA749D0FDE3EADD586E637.exe 952 1E45D6ABB8FA749D0FDE3EADD586E637.exe 952 1E45D6ABB8FA749D0FDE3EADD586E637.exe 952 1E45D6ABB8FA749D0FDE3EADD586E637.exe 952 1E45D6ABB8FA749D0FDE3EADD586E637.exe 952 1E45D6ABB8FA749D0FDE3EADD586E637.exe 952 1E45D6ABB8FA749D0FDE3EADD586E637.exe 952 1E45D6ABB8FA749D0FDE3EADD586E637.exe 952 1E45D6ABB8FA749D0FDE3EADD586E637.exe 952 1E45D6ABB8FA749D0FDE3EADD586E637.exe 952 1E45D6ABB8FA749D0FDE3EADD586E637.exe 832 THK.exe 832 THK.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
1E45D6ABB8FA749D0FDE3EADD586E637.exeTHK.exeTHK.exedescription pid Process Token: SeDebugPrivilege 952 1E45D6ABB8FA749D0FDE3EADD586E637.exe Token: SeDebugPrivilege 832 THK.exe Token: SeDebugPrivilege 4208 THK.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
1E45D6ABB8FA749D0FDE3EADD586E637.exe1E45D6ABB8FA749D0FDE3EADD586E637.execmd.execmd.exeTHK.exedescription pid Process procid_target PID 2696 wrote to memory of 952 2696 1E45D6ABB8FA749D0FDE3EADD586E637.exe 85 PID 2696 wrote to memory of 952 2696 1E45D6ABB8FA749D0FDE3EADD586E637.exe 85 PID 2696 wrote to memory of 952 2696 1E45D6ABB8FA749D0FDE3EADD586E637.exe 85 PID 2696 wrote to memory of 952 2696 1E45D6ABB8FA749D0FDE3EADD586E637.exe 85 PID 2696 wrote to memory of 952 2696 1E45D6ABB8FA749D0FDE3EADD586E637.exe 85 PID 2696 wrote to memory of 952 2696 1E45D6ABB8FA749D0FDE3EADD586E637.exe 85 PID 2696 wrote to memory of 952 2696 1E45D6ABB8FA749D0FDE3EADD586E637.exe 85 PID 2696 wrote to memory of 952 2696 1E45D6ABB8FA749D0FDE3EADD586E637.exe 85 PID 952 wrote to memory of 208 952 1E45D6ABB8FA749D0FDE3EADD586E637.exe 87 PID 952 wrote to memory of 208 952 1E45D6ABB8FA749D0FDE3EADD586E637.exe 87 PID 952 wrote to memory of 208 952 1E45D6ABB8FA749D0FDE3EADD586E637.exe 87 PID 952 wrote to memory of 600 952 1E45D6ABB8FA749D0FDE3EADD586E637.exe 89 PID 952 wrote to memory of 600 952 1E45D6ABB8FA749D0FDE3EADD586E637.exe 89 PID 952 wrote to memory of 600 952 1E45D6ABB8FA749D0FDE3EADD586E637.exe 89 PID 208 wrote to memory of 4848 208 cmd.exe 91 PID 208 wrote to memory of 4848 208 cmd.exe 91 PID 208 wrote to memory of 4848 208 cmd.exe 91 PID 600 wrote to memory of 4384 600 cmd.exe 92 PID 600 wrote to memory of 4384 600 cmd.exe 92 PID 600 wrote to memory of 4384 600 cmd.exe 92 PID 600 wrote to memory of 832 600 cmd.exe 93 PID 600 wrote to memory of 832 600 cmd.exe 93 PID 600 wrote to memory of 832 600 cmd.exe 93 PID 832 wrote to memory of 1672 832 THK.exe 94 PID 832 wrote to memory of 1672 832 THK.exe 94 PID 832 wrote to memory of 1672 832 THK.exe 94 PID 832 wrote to memory of 4208 832 THK.exe 95 PID 832 wrote to memory of 4208 832 THK.exe 95 PID 832 wrote to memory of 4208 832 THK.exe 95 PID 832 wrote to memory of 4208 832 THK.exe 95 PID 832 wrote to memory of 4208 832 THK.exe 95 PID 832 wrote to memory of 4208 832 THK.exe 95 PID 832 wrote to memory of 4208 832 THK.exe 95 PID 832 wrote to memory of 4208 832 THK.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\1E45D6ABB8FA749D0FDE3EADD586E637.exe"C:\Users\Admin\AppData\Local\Temp\1E45D6ABB8FA749D0FDE3EADD586E637.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Users\Admin\AppData\Local\Temp\1E45D6ABB8FA749D0FDE3EADD586E637.exe"C:\Users\Admin\AppData\Local\Temp\1E45D6ABB8FA749D0FDE3EADD586E637.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "THK" /tr '"C:\Users\Admin\AppData\Roaming\THK.exe"' & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "THK" /tr '"C:\Users\Admin\AppData\Roaming\THK.exe"'4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4848
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEBD7.tmp.bat""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4384
-
-
C:\Users\Admin\AppData\Roaming\THK.exe"C:\Users\Admin\AppData\Roaming\THK.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Users\Admin\AppData\Roaming\THK.exe"C:\Users\Admin\AppData\Roaming\THK.exe"5⤵
- Executes dropped EXE
PID:1672
-
-
C:\Users\Admin\AppData\Roaming\THK.exe"C:\Users\Admin\AppData\Roaming\THK.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4208
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1E45D6ABB8FA749D0FDE3EADD586E637.exe.log
Filesize1KB
MD57ebe314bf617dc3e48b995a6c352740c
SHA1538f643b7b30f9231a3035c448607f767527a870
SHA25648178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8
SHA5120ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e
-
Filesize
147B
MD5baa3dd5608c2808178b1b94fc33cddac
SHA166eb6ad3a16b99d3aaeed0afd9afdff9dbad66fd
SHA256b7e01c9802780ebc57bd7894215d86834805feb79a5a2abc3242e61d42291130
SHA512a6ffecb9860907ccabe0312b84143d70ceaef7791d8e1a6d71c7671be5d9a33226e50897ae2ceda7feefdc6c2f86eff42333fec4db32296f3c5d1123e1a8b2c2
-
Filesize
258KB
MD51e45d6abb8fa749d0fde3eadd586e637
SHA14a961b4a92fa3fb1265f729d18f2f0638cba018a
SHA256d21a63a1bcc5afdc0eb4b00e6b82af4bdf1f634e50d0d51001a4c27ac7f84379
SHA51258f30c478856230c16ae7bb8425e32e0dce23d927de1d7d4697400617609a3f5dfd9ceca98426b05e240ae515ba5408af569714c9d95e17652c0e83406762900