Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
11-12-2024 21:54
Behavioral task
behavioral1
Sample
try.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
try.exe
-
Size
47KB
-
MD5
c6e12fefdec665d8ba5f2102f1329e3a
-
SHA1
fa2d30cfad462faa20a6a48f1b20db59c2d31bdc
-
SHA256
3d1628fb4c4f00119992f91caa94a313f26a8490058a1cb3fc42850d46415e1b
-
SHA512
ad0a6f3dcc08aa0f135ca777d186f1ed76df60cf580f76cd5257ded9b5d83712329d3ff0c1e3a5dd328503885fce65339e504778ab7e107bc02aa3563325fb54
-
SSDEEP
768:4uY69T3kH1jWUvTqRmo2qbfsvQQfCIVPIk4k2L0bsHVy+j/Mu3Ff0WQeMfSBDZ4x:4uY69T34y20Qf/ylrAbsHVhj/1f0rsdq
Malware Config
Extracted
Family
asyncrat
Version
0.5.8
Botnet
Default
C2
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
weak-onions-tap.loca.lt:6606
weak-onions-tap.loca.lt:7707
weak-onions-tap.loca.lt:8808
Mutex
6YwTvE25VuNs
Attributes
-
delay
3
-
install
true
-
install_file
roar.exe
-
install_folder
%AppData%
aes.plain
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x001b00000002aab7-11.dat family_asyncrat -
Executes dropped EXE 1 IoCs
pid Process 3092 roar.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language try.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language roar.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1552 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3504 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3908 try.exe 3908 try.exe 3908 try.exe 3908 try.exe 3908 try.exe 3908 try.exe 3908 try.exe 3908 try.exe 3908 try.exe 3908 try.exe 3908 try.exe 3908 try.exe 3908 try.exe 3908 try.exe 3908 try.exe 3908 try.exe 3908 try.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2028 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3908 try.exe Token: SeDebugPrivilege 2028 taskmgr.exe Token: SeSystemProfilePrivilege 2028 taskmgr.exe Token: SeCreateGlobalPrivilege 2028 taskmgr.exe Token: SeDebugPrivilege 3092 roar.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe 2028 taskmgr.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3908 wrote to memory of 3160 3908 try.exe 77 PID 3908 wrote to memory of 3160 3908 try.exe 77 PID 3908 wrote to memory of 3160 3908 try.exe 77 PID 3908 wrote to memory of 1500 3908 try.exe 79 PID 3908 wrote to memory of 1500 3908 try.exe 79 PID 3908 wrote to memory of 1500 3908 try.exe 79 PID 3160 wrote to memory of 3504 3160 cmd.exe 81 PID 3160 wrote to memory of 3504 3160 cmd.exe 81 PID 3160 wrote to memory of 3504 3160 cmd.exe 81 PID 1500 wrote to memory of 1552 1500 cmd.exe 82 PID 1500 wrote to memory of 1552 1500 cmd.exe 82 PID 1500 wrote to memory of 1552 1500 cmd.exe 82 PID 1500 wrote to memory of 3092 1500 cmd.exe 83 PID 1500 wrote to memory of 3092 1500 cmd.exe 83 PID 1500 wrote to memory of 3092 1500 cmd.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\try.exe"C:\Users\Admin\AppData\Local\Temp\try.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "roar" /tr '"C:\Users\Admin\AppData\Roaming\roar.exe"' & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "roar" /tr '"C:\Users\Admin\AppData\Roaming\roar.exe"'3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3504
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7E58.tmp.bat""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1552
-
-
C:\Users\Admin\AppData\Roaming\roar.exe"C:\Users\Admin\AppData\Roaming\roar.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3092
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2028
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148B
MD5f5f09e0b67e83305ea0cc5769d4bc024
SHA1e91737d3384c73ee466cac93f1407a84664d86f7
SHA256b5c5593f8c91f9ad85cb03f0a11bbd5bc70e8512a47cff49d1fdb08e73b8eb8f
SHA5127a91032064d6f0fe531bc8581a5cdc50548730d203a9fd7a3a748a37faa6a766aef9dfc8aefa420672ead296115750c63a0e680e1a8c403038f66946a0c633ae
-
Filesize
47KB
MD5c6e12fefdec665d8ba5f2102f1329e3a
SHA1fa2d30cfad462faa20a6a48f1b20db59c2d31bdc
SHA2563d1628fb4c4f00119992f91caa94a313f26a8490058a1cb3fc42850d46415e1b
SHA512ad0a6f3dcc08aa0f135ca777d186f1ed76df60cf580f76cd5257ded9b5d83712329d3ff0c1e3a5dd328503885fce65339e504778ab7e107bc02aa3563325fb54