Overview

overview

10

Static

static

10

try again please.exe

windows10-2004-x64

10

try again please.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-12-2024 21:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    try again please.exe

  • Size

    63KB

  • MD5

    11ee3cbc775dd3ffb5ee383aa250e46c

  • SHA1

    06969e1b529d4caf9f2efc37c71ce1bd739fbc26

  • SHA256

    29c74b4d8f3f1ac56cae20be01b8969ee412427e6c4a2d5e2aab678eb53ed83e

  • SHA512

    4bedbda5ce9e6f02eb72a965a56f2cfdba5229361bda7391ac71a2daa6636a48866f98504e5ff61991df6c587af129746b7399bc2d88594569ef38df19a1adfd

  • SSDEEP

    768:xtM6NqDuiP/tkiP9JqBIe1wl5SNyNs1+ZSCv7mqb2nrpwH1ol9v68GhZVc6KN:xiDBlnecNsPGbbOwq9fGhZVclN

Score
10/10
asyncratdefaultdiscoveryrat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

127.0.0.1:7707

127.0.0.1:23198

benefits-required.gl.at.ply.gg:23198:7707

benefits-required.gl.at.ply.gg:23198:23198
Mutex

roaroaroaraoroaroaraoraoraoarororrohrorororoaroaaoaoaoaroaroar

Attributes
  • delay

    1

  • install

    true

  • install_file

    windows defender firewall.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\try again please.exe
    "C:\Users\Admin\AppData\Local\Temp\try again please.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2424
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windows defender firewall" /tr '"C:\Users\Admin\AppData\Roaming\windows defender firewall.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1644
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "windows defender firewall" /tr '"C:\Users\Admin\AppData\Roaming\windows defender firewall.exe"'
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1568
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA2E7.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:452
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:5116
      • C:\Users\Admin\AppData\Roaming\windows defender firewall.exe
        "C:\Users\Admin\AppData\Roaming\windows defender firewall.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3404
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /0
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2956
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.bing.com/search?q=windows defender firewall.exe windows defender firewall.exe"
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3592
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffffd9946f8,0x7ffffd994708,0x7ffffd994718
      2⤵
        PID:2244
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,15051340325272063090,11767450319670225735,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2004 /prefetch:2
        2⤵
          PID:4976
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,15051340325272063090,11767450319670225735,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2540 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4784
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2000,15051340325272063090,11767450319670225735,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
          2⤵
            PID:4592
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,15051340325272063090,11767450319670225735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
            2⤵
              PID:1964
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,15051340325272063090,11767450319670225735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
              2⤵
                PID:2712
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,15051340325272063090,11767450319670225735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
                2⤵
                  PID:4408
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,15051340325272063090,11767450319670225735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
                  2⤵
                    PID:2464
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,15051340325272063090,11767450319670225735,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3628 /prefetch:8
                    2⤵
                      PID:2424
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,15051340325272063090,11767450319670225735,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3628 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2228
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,15051340325272063090,11767450319670225735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1
                      2⤵
                        PID:684
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,15051340325272063090,11767450319670225735,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
                        2⤵
                          PID:2376
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,15051340325272063090,11767450319670225735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
                          2⤵
                            PID:2032
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,15051340325272063090,11767450319670225735,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
                            2⤵
                              PID:3700
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:4448
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:4584

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                Filesize

                                152B

                                MD5

                                36988ca14952e1848e81a959880ea217

                                SHA1

                                a0482ef725657760502c2d1a5abe0bb37aebaadb

                                SHA256

                                d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

                                SHA512

                                d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                Filesize

                                152B

                                MD5

                                fab8d8d865e33fe195732aa7dcb91c30

                                SHA1

                                2637e832f38acc70af3e511f5eba80fbd7461f2c

                                SHA256

                                1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

                                SHA512

                                39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                Filesize

                                1KB

                                MD5

                                f8e8f4b0822b0959d4d12dd4d40fe1dc

                                SHA1

                                cd97df319b3cf2695bcc3f305c5a6dfabb9c4331

                                SHA256

                                04c476f86e8ff788f0110db46370de2df4289fa64908bc89dcf1965a152a0017

                                SHA512

                                b5995dff3057ce24aea76664a419c629d632b21fa130e764a042c74bec84af4919ec19623fd6a5dd2678d0c3d89680d43ed529e2fa3f1c75fa34b15b8b758755

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                Filesize

                                402B

                                MD5

                                54c1d311012f48e50ac72e9b0d6b8e71

                                SHA1

                                2a7569f5395a1efd20d031ed5e65c424b2e89861

                                SHA256

                                a69b42b2df74adb169138aab69eca376a5148930e440e90d8a57404069b6f38a

                                SHA512

                                9d1fa30376fa78197ae987410687c80463b5dbf518b7b789de8ec6809f58d3800033cd5c55a9573fcd842d656e7ead6ffb0f63841374e058558ae3ddc7f762f5

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                Filesize

                                6KB

                                MD5

                                350cb2f3989d85ac480db914e5d31f16

                                SHA1

                                f79dd745559a9adcc223e9edf3124adc47840ffa

                                SHA256

                                b1092e76ae9b6fd09c7739507a3679cea1a0f7e8ea7a24a9db243d011b932af1

                                SHA512

                                5ff430b3c73bf73db7ff02c674993d53c3896fcebd250e502402c044c73d35c40c7b7b96c5c6fe4fde7ed6327383a92dda0a365bf25b02117818516dda77598a

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                Filesize

                                5KB

                                MD5

                                fbfba97019d03a7dc255ab62a100d0e1

                                SHA1

                                658c0685dd4b90b7c1a5ca4ef6a084974f70481d

                                SHA256

                                64f7539155c21851158b8e48b192820de88a17a22992c751d41aca9111177cb1

                                SHA512

                                99962e4d0d386c782b7f99ba62ca7c7b7c713e3dbed4da6b75a5c9de1f4792a42f4898dc66b36445444ff9303ddb0edac8b174975a88a8cd99a9051139c420fc

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                Filesize

                                16B

                                MD5

                                6752a1d65b201c13b62ea44016eb221f

                                SHA1

                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                SHA256

                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                SHA512

                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                Filesize

                                10KB

                                MD5

                                a856ea050c49d3e6f84eba34bb3a6b49

                                SHA1

                                cb2ac08e3bf4fc745289807ff0cb3ce0b73e3c77

                                SHA256

                                13b7d2f761f37804d2c80cb8cd4487dc80b728574dbf3a195f5fef0274d19d05

                                SHA512

                                5c0461762f741edfa02f199c3b30d46a1cb81369229fe77b2c1e7204cb2f2727aad7bf3da8a4c301aa1989587c4028c225c533c75120e893b877c0aa66c97bc9

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\tmpA2E7.tmp.bat
                                Filesize

                                169B

                                MD5

                                8faad4f939dc6a6c87b6517bca0d56c2

                                SHA1

                                0e016f48c5ef9d43963b650190449937a165f814

                                SHA256

                                d2b6c6160afc62c0e1b6522429241b450ec3b17fcb99aeef56f085ce78b8e441

                                SHA512

                                927dd534c21019457a2341779cdf0636a2680ce1f0e7a81c628fcb390f7cf4631c312ba059338fbd21ab3509d985d7ad798f33b274898bdfa7aa6f3f2295d954

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\windows defender firewall.exe
                                Filesize

                                63KB

                                MD5

                                11ee3cbc775dd3ffb5ee383aa250e46c

                                SHA1

                                06969e1b529d4caf9f2efc37c71ce1bd739fbc26

                                SHA256

                                29c74b4d8f3f1ac56cae20be01b8969ee412427e6c4a2d5e2aab678eb53ed83e

                                SHA512

                                4bedbda5ce9e6f02eb72a965a56f2cfdba5229361bda7391ac71a2daa6636a48866f98504e5ff61991df6c587af129746b7399bc2d88594569ef38df19a1adfd

                                Download Submit

                              • memory/2424-7-0x00007FF802EA0000-0x00007FF803961000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/2424-0-0x00007FF802EA3000-0x00007FF802EA5000-memory.dmp

                                Filesize

                                8KB

                                Download

                              • memory/2424-2-0x00007FF802EA0000-0x00007FF803961000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/2424-1-0x0000000000E00000-0x0000000000E16000-memory.dmp

                                Filesize

                                88KB

                                Download

                              • memory/2956-12-0x0000014B445D0000-0x0000014B445D1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2956-18-0x0000014B445D0000-0x0000014B445D1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2956-19-0x0000014B445D0000-0x0000014B445D1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2956-20-0x0000014B445D0000-0x0000014B445D1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2956-21-0x0000014B445D0000-0x0000014B445D1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2956-22-0x0000014B445D0000-0x0000014B445D1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2956-23-0x0000014B445D0000-0x0000014B445D1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2956-24-0x0000014B445D0000-0x0000014B445D1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2956-14-0x0000014B445D0000-0x0000014B445D1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2956-13-0x0000014B445D0000-0x0000014B445D1000-memory.dmp

                                Filesize

                                4KB

                                Download