Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
-
submitted
09/12/2024, 16:03
General
-
Target
arf.exe
-
Size
63KB
-
MD5
f69a0edbc9c44a09ed18e5a501b6621b
-
SHA1
7b835c5a70749c3e33c338943344ae65fe6d7aaf
-
SHA256
b1c2d42876dbd40a3cbce84cd5e4e44b76c2e35c7618f9c831416d6442667d33
-
SHA512
a8067e96218406d1afa94c827d630b5835374db71c794d6de0f6a75756935cc4b2ee74bb72f9ac2034a6d8ccab81a503aeca01b6fad76b17a59ed4ebd1703644
-
SSDEEP
1536:diDBlKWYEk2KwYjGbbKwg9z+aGtZVclN:dmlKWYEb6GbbK5VizY
Malware Config
Extracted
asyncrat
1.0.7
Default
roarwasd12312-34767.portmap.host:8848
roarwasd12312-34767.portmap.host:34767
roaroaroaraoroaroaraoraoraoarororrohrorororoaroaaoaoaoaroaroar
-
delay
1
-
install
true
-
install_file
windows defender firewall.exe
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Async RAT payload 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\arf.exe"C:\Users\Admin\AppData\Local\Temp\arf.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windows defender firewall" /tr '"C:\Users\Admin\AppData\Roaming\windows defender firewall.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "windows defender firewall" /tr '"C:\Users\Admin\AppData\Roaming\windows defender firewall.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6784.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\windows defender firewall.exe"C:\Users\Admin\AppData\Roaming\windows defender firewall.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169B
MD55759942a9c4ab1b3b23b28946c5b26c3
SHA16510cc353b31e7936f75c9531532adda2296f014
SHA256e7dfc73f93f8e40a85cffbacee740a28b4bb2e6ae05e94ee91875e88e1025d35
SHA512ee4f68e4f88aa82c6a5f8daf001e5ab332474ea0718e03276ac46af3aff222b708316078596cfaa51a26134ddabda9a6670c4b86e5e7adf86a0e0936b755ed57
-
Filesize
63KB
MD5f69a0edbc9c44a09ed18e5a501b6621b
SHA17b835c5a70749c3e33c338943344ae65fe6d7aaf
SHA256b1c2d42876dbd40a3cbce84cd5e4e44b76c2e35c7618f9c831416d6442667d33
SHA512a8067e96218406d1afa94c827d630b5835374db71c794d6de0f6a75756935cc4b2ee74bb72f9ac2034a6d8ccab81a503aeca01b6fad76b17a59ed4ebd1703644
-
Filesize
8KB
-
Filesize
88KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB