Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
07-12-2024 14:36
Behavioral task
behavioral1
Sample
Client.exe
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
15 signatures
150 seconds
General
-
Target
Client.exe
-
Size
48KB
-
MD5
0b1d82dcae9ef015991a691b3f9d2530
-
SHA1
3578a68865f09b7a0aa3239e4a564c44847d46ac
-
SHA256
2bd95dc32d31cbccea67492b6520d361f1c386be53a63c52fa6aafd9b7326afe
-
SHA512
017d4b715c9d5dfcd1d8a4a0b6c9ee01d428884c0b2ca4203edc7ea9d7fa065a7aeb00fe51dbf2448b504258d3eb388b888fbaf398e515bcd63e2ec1f0af6f5f
-
SSDEEP
768:6ZAVhIL9JfD+5iUtelDSN+iV08YbygepG6x/WvEgK/JUZVc6KN:6ZH1UtKDs4zb1F6x/WnkJUZVclN
Malware Config
Extracted
Family
asyncrat
Version
1.0.7
Botnet
Default
C2
127.0.0.1:8848
127.0.0.1:60073
dfsgmnhsrf23456623423456-60073.portmap.host:8848
dfsgmnhsrf23456623423456-60073.portmap.host:60073
Mutex
DcRatMutex_qwqdanchunxinsfd,mhbm gdfvg
Attributes
-
delay
1
-
install
true
-
install_file
windows defender firewall required.exe
-
install_folder
%Temp%
aes.plain
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x001c00000002aa63-11.dat family_asyncrat -
Executes dropped EXE 1 IoCs
pid Process 2988 windows defender firewall required.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4796 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1784 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
pid Process 4244 Client.exe 4244 Client.exe 4244 Client.exe 4244 Client.exe 4244 Client.exe 4244 Client.exe 4244 Client.exe 4244 Client.exe 4244 Client.exe 4244 Client.exe 4244 Client.exe 4244 Client.exe 4244 Client.exe 4244 Client.exe 4244 Client.exe 4244 Client.exe 4244 Client.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 4244 Client.exe Token: SeDebugPrivilege 2988 windows defender firewall required.exe Token: SeDebugPrivilege 4860 taskmgr.exe Token: SeSystemProfilePrivilege 4860 taskmgr.exe Token: SeCreateGlobalPrivilege 4860 taskmgr.exe Token: 33 4860 taskmgr.exe Token: SeIncBasePriorityPrivilege 4860 taskmgr.exe -
Suspicious use of FindShellTrayWindow 52 IoCs
pid Process 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe -
Suspicious use of SendNotifyMessage 52 IoCs
pid Process 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe 4860 taskmgr.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4244 wrote to memory of 1320 4244 Client.exe 77 PID 4244 wrote to memory of 1320 4244 Client.exe 77 PID 4244 wrote to memory of 4608 4244 Client.exe 79 PID 4244 wrote to memory of 4608 4244 Client.exe 79 PID 4608 wrote to memory of 4796 4608 cmd.exe 82 PID 4608 wrote to memory of 4796 4608 cmd.exe 82 PID 1320 wrote to memory of 1784 1320 cmd.exe 81 PID 1320 wrote to memory of 1784 1320 cmd.exe 81 PID 4608 wrote to memory of 2988 4608 cmd.exe 83 PID 4608 wrote to memory of 2988 4608 cmd.exe 83 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windows defender firewall required" /tr '"C:\Users\Admin\AppData\Local\Temp\windows defender firewall required.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "windows defender firewall required" /tr '"C:\Users\Admin\AppData\Local\Temp\windows defender firewall required.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:1784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp703E.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:4796
-
-
C:\Users\Admin\AppData\Local\Temp\windows defender firewall required.exe"C:\Users\Admin\AppData\Local\Temp\windows defender firewall required.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2988
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4860
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
181B
MD53c78e7784e968e155686b3e91a556b18
SHA1d060fbde678f91f47203e4c7d085c33f4b2dba1d
SHA256305d96165845ca5d3d1f995290719c925ed37fcc8e7c40c98a5f463f4e5fa643
SHA51281005851fa6dbe9afebea531d97f80bc72029826d20a287148a7e7b240a59d6929c6b0454ced5795c0dcaa7b613a020ed8703e4bd1402bbd5661138470b7d6a6
-
Filesize
48KB
MD50b1d82dcae9ef015991a691b3f9d2530
SHA13578a68865f09b7a0aa3239e4a564c44847d46ac
SHA2562bd95dc32d31cbccea67492b6520d361f1c386be53a63c52fa6aafd9b7326afe
SHA512017d4b715c9d5dfcd1d8a4a0b6c9ee01d428884c0b2ca4203edc7ea9d7fa065a7aeb00fe51dbf2448b504258d3eb388b888fbaf398e515bcd63e2ec1f0af6f5f