Overview

overview

10

Static

static

3

72cd6d490f...cf.exe

windows7-x64

10

72cd6d490f...cf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    10-12-2024 02:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    72cd6d490f03122c90b4a52c8bc7fb5b938123eaf4926b5cc5cee14f44bef3cf.exe

  • Size

    494KB

  • MD5

    a2bdb024c98b7e8d3d06fc86e110d204

  • SHA1

    2442360d37bf7e60b0d20c447bf5a0b51635a1d4

  • SHA256

    72cd6d490f03122c90b4a52c8bc7fb5b938123eaf4926b5cc5cee14f44bef3cf

  • SHA512

    b60afa45e29ddee3e3dc0d7e61bd5b9f3fb1d0c03a0655ab8f6c80b1fc5d6ff51f1b07a1af7ab1ce28d373f990d830f2f1c6e3c0e1efbaa280361a250ecb6850

  • SSDEEP

    6144:rTouKrWBEu3/Z2lpGDHU3ykJVX+tLC/Jm808PYfz1b8s4GYAMwX:rToPWBv/cpGrU3yUX+tLGA8mJbV2o

Score
10/10
asyncratdiscord hdiscoveryexecutionrat

Malware Config

Extracted

Family

asyncrat

Version

true

Botnet

Discord H

Mutex

RRAT_nMo7Zfs0N

Attributes
  • delay

    3

  • install

    false

  • install_file

    powershell Add-MpPreference -ExclusionPath C:\

  • install_folder

    Explorer.exe

  • pastebin_config

    http://pastebin.com/raw/KKpnJShN

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\72cd6d490f03122c90b4a52c8bc7fb5b938123eaf4926b5cc5cee14f44bef3cf.exe
    "C:\Users\Admin\AppData\Local\Temp\72cd6d490f03122c90b4a52c8bc7fb5b938123eaf4926b5cc5cee14f44bef3cf.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3064
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\a.bat" "
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2532
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\a.exe
        a.exe -p1234
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2792
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\rrat.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\rrat.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2960
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c powershell Add-MpPreference -ExclusionPath C:\
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3068
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell Add-MpPreference -ExclusionPath C:\
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2720
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows\WindowsUpdater" /tr '"C:\Users\Admin\AppData\Roaming\Explorer.exe"' & exit
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2692
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /f /sc onlogon /rl highest /tn "Windows\WindowsUpdater" /tr '"C:\Users\Admin\AppData\Roaming\Explorer.exe"'
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:1888
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC590.tmp.bat""
            5⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2552
            • C:\Windows\SysWOW64\timeout.exe
              timeout 3
              6⤵
              • System Location Discovery: System Language Discovery
              • Delays execution with timeout.exe
              PID:1092
            • C:\Users\Admin\AppData\Roaming\Explorer.exe
              "C:\Users\Admin\AppData\Roaming\Explorer.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2084
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /Cschtasks /create /f /sc ONIDLE /i 1 /rl highest /tn "Windows\WinUpdate" /tr "C:\Users\Admin\AppData\Local\explore.exe"
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1604
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /f /sc ONIDLE /i 1 /rl highest /tn "Windows\WinUpdate" /tr "C:\Users\Admin\AppData\Local\explore.exe"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:276
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /Cschtasks /create /f /sc ONIDLE /i 1 /rl highest /tn "Windows\WinUpdaters" /tr "cmd.exe /C powershell Add-MpPreference -ExclusionPath C:\"
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1864
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /f /sc ONIDLE /i 1 /rl highest /tn "Windows\WinUpdaters" /tr "cmd.exe /C powershell Add-MpPreference -ExclusionPath C:\"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:2756

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\a.bat
    Filesize

    18B

    MD5

    cc1bfa4d25dc0d101cfe0a22852e9f00

    SHA1

    51c0172ac90f74fa675d96f326c2df8e85cc35ff

    SHA256

    3276f0ce57358545885aa30b873fa4b604a94689b7528a174d8c9e819873fb08

    SHA512

    d376d38607b12ffe2edafedf4a0c1932c88fe9db4e0a247d5104140d8da311a3b752c0d9a52e6048e3247d13efb3224218f56d276b22f2f26663e05334de81ec

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\a.exe
    Filesize

    301KB

    MD5

    7107f3fb53f9f3eaf3b95fd857f7aee9

    SHA1

    81e0dfe67b3b098c331eb3964e670e7762749b40

    SHA256

    3d74cbfd24a606b7f8c1e980cb08365c3127bed66b813f6fc7fb53eb19171cc0

    SHA512

    cd42e3d36a1f0bf7f0429df7ee0780d1d7039f0139f91e0cb71a488c8d50973df53fe70a7cdb09e50e5651e2c1a7fef3da0a4cb1e9225c5071711bd2d9f2e5d8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpC590.tmp.bat
    Filesize

    152B

    MD5

    efe0e1f2e81f46fea62c0a3b10697cc8

    SHA1

    d7a432698f9667fdf867676c5cdc473fe4917b5e

    SHA256

    c74c98d887ae718e4400fdcc82dbdd954768803452ce2444ee664d3168dcc2ce

    SHA512

    bd4d11edfc2f5c1118e233587cac6ddbd6ee31d5532b0cdad0e536efa21d98c0e2295d71327a4c5e171c7b8575f8743cbff3431458e5bee10d6bdd76cb06dc50

    Download Submit

  • \Users\Admin\AppData\Local\Temp\RarSFX1\rrat.exe
    Filesize

    66KB

    MD5

    3d91c31a52be4e262f7f18272294ed99

    SHA1

    7c120a607650348fc4dfcdacdc77bf5885a9e6ac

    SHA256

    b99b28b82c9da1b009898da323d4793dde7828efcf777a56a835d54cbfec849d

    SHA512

    d17cc9db4d263addd524baa7b67974b2d4f0b904f46367cd6138805cd65a8364ea700a9df147dbb6dac8b1e7288a87fe24c497e1b1825f49b576e101789856d1

    Download Submit

  • memory/2084-52-0x0000000000210000-0x0000000000226000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2960-37-0x0000000000360000-0x0000000000376000-memory.dmp

    Filesize

    88KB

    Download