Analysis
-
max time kernel
93s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
10-12-2024 20:23
General
-
Target
file.exe
-
Size
654KB
-
MD5
ae806b6f5e02484c2be2b49da35b3d26
-
SHA1
66ae8df94cd9e804fab01bc6be77cfec8d544226
-
SHA256
7a31e73a61251309c51a343c14af5149915110c0f818747f7de78344739f21c5
-
SHA512
8ea9cfe94bc4dbfc0a6c43b811461e6da4cab55fe6a3ddd1a4795f0887b2a311a6e9d9a464bb9253985c5a68cc206c36a703319463e5daca92adbe056e16a968
-
SSDEEP
12288:77MfJIBvlbmLC3sCPtRzSXiBdja/z2UmG5pc4M1xK/5BFz2430RUwy9EXX+CNkkR:SIme3LLAiBdMmGpNkspz2i0RUwFOCND
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
185.208.158.187:4449
tnybaidkzovl
-
delay
10
-
install
true
-
install_file
NotepadUpdate.exe
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Delays execution with timeout.exe 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 34 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 43 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AtkzppDHiyvcIR.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE242.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\Admin\AppData\Roaming\NotepadUpdate.exe"' & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\Admin\AppData\Roaming\NotepadUpdate.exe"'4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp11CE.tmp.bat""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\NotepadUpdate.exe"C:\Users\Admin\AppData\Roaming\NotepadUpdate.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AtkzppDHiyvcIR.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5EA5.tmp"5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\NotepadUpdate.exe"C:\Users\Admin\AppData\Roaming\NotepadUpdate.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b7b9acb869ccc7f7ecb5304ec0384dee
SHA16a90751c95817903ee833d59a0abbef425a613b3
SHA2568cb00a15cd942a1861c573d86d6fb430512c8e2f80f6349f48b16b8709ca7aa4
SHA5127bec881ac5f59ac26f1be1e7e26d63f040c06369de10c1c246e531a4395d27c335d9acc647ecdedb48ed37bdc2dc405a4cfc11762e1c00659a49be259eaf8764
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD55692e6aedc1f4b74d305a9f9e25c7bf5
SHA13143b0290751f51833263900046d844b724b21dc
SHA256875f22383c05ab4b31f9afa36862bc474bb968cb8a931006b87c522014eb7e05
SHA5125aefe5c2cfb377474e7a3497739596f166b317f49ece2c8b8d825d44ebe18384d440bc6505078c0fad0a6b10422d5a7e585349b15da4c712dc84d45913d3ddfa
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
157B
MD59c1f1cbb5613e26fcf6de831b9d0f1bd
SHA137ab795af9a85e60d74b92299514288f314ade12
SHA25676097747808a4981d3b14a069a40e3f599988e75183b46f2d1b12aa6b0158e27
SHA512e3f346414e018e93106c09061614b5a4a8df349a5c660705c1699799831628cb320030ef3e66c1e579ad1c526cb8ccccfff9b5978cdc0a143184a55cf17838b7
-
Filesize
1KB
MD5f1ecf89230039f8702bb9fff297c0a8c
SHA1be4172cf4aacdc140ba4528e2305e6ae7ef3f60d
SHA256b86d2810250feef85e0dbdfeb7aed1cc0eabef271691f88bb3c796e3cd736d2a
SHA5125a17fc6c551204285d8f385b046e5ec371419e92c52c53844f233ac3556a3fc1153dc636616efc8fe6524db57abe0ee4b8881a158672c6621c5f5e999adef9f6
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
Filesize
654KB
MD5ae806b6f5e02484c2be2b49da35b3d26
SHA166ae8df94cd9e804fab01bc6be77cfec8d544226
SHA2567a31e73a61251309c51a343c14af5149915110c0f818747f7de78344739f21c5
SHA5128ea9cfe94bc4dbfc0a6c43b811461e6da4cab55fe6a3ddd1a4795f0887b2a311a6e9d9a464bb9253985c5a68cc206c36a703319463e5daca92adbe056e16a968
-
Filesize
3.3MB
-
Filesize
80KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
652KB
-
Filesize
68KB
-
Filesize
376KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
664KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
120KB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
584KB
-
Filesize
96KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
7.7MB
-
Filesize
652KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
216KB