Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
07-12-2024 03:00
General
-
Target
roaricle.exe
-
Size
63KB
-
MD5
9f39043be09533636bbfdd4ec3101f6a
-
SHA1
1e964ba2a874c24a5fdc430c827a1ba82dc657ab
-
SHA256
179027517e90f9e8173f63ba247d7c0d414259fdef3a29a5692c85d84dce557d
-
SHA512
09c0573e2f4db331714d86d32abf9623b5a9560c1e7ac8359a0ef434cc79940143e837a2674aa5140b79e1b1302faf75df9959d184109aad231db78a90139233
-
SSDEEP
1536:PJxFz3FI8Cwof4wJ6Vfh2MBPG2bPw0mQCfhGxZVclN:PJxFz3FI8Cwo7J6VJL1G2bPTCfwzY
Malware Config
Extracted
asyncrat
1.0.7
Default
fojeweb571-45302.portmap.host:4782
fojeweb571-45302.portmap.host:45302
DcRatMutex_qwqdanchun
-
delay
1
-
install
true
-
install_file
windows defender firewall.exe
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Async RAT payload 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\roaricle.exe"C:\Users\Admin\AppData\Local\Temp\roaricle.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windows defender firewall" /tr '"C:\Users\Admin\AppData\Roaming\windows defender firewall.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "windows defender firewall" /tr '"C:\Users\Admin\AppData\Roaming\windows defender firewall.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD143.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\windows defender firewall.exe"C:\Users\Admin\AppData\Roaming\windows defender firewall.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169B
MD573e0ee44afa6813c1bebd5e8c7dd97b6
SHA1366ad16dcab01420797460f5899c980611b550ac
SHA256f39205381175fc3ea31326a4f6c60c80d977d8b80f32a85ed1e476334aff3e39
SHA512f11a4a8ac5db7e737194cfd868a54b68e858301f5b4afcf98ccc41da6e692f0dbcab85b0a3381ee6bc214d7b57f22b9f7d1b994a1c2465cd13c085232f69101c
-
Filesize
63KB
MD59f39043be09533636bbfdd4ec3101f6a
SHA11e964ba2a874c24a5fdc430c827a1ba82dc657ab
SHA256179027517e90f9e8173f63ba247d7c0d414259fdef3a29a5692c85d84dce557d
SHA51209c0573e2f4db331714d86d32abf9623b5a9560c1e7ac8359a0ef434cc79940143e837a2674aa5140b79e1b1302faf75df9959d184109aad231db78a90139233
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
88KB