Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 23:02
Behavioral task
behavioral1
Sample
80568be5a0b6b9d96b0dde9a45d9b9ae74f9cd97af8f9ae533904ff804bec8e0.exe
Resource
win7-20240903-en
General
-
Target
80568be5a0b6b9d96b0dde9a45d9b9ae74f9cd97af8f9ae533904ff804bec8e0.exe
-
Size
48KB
-
MD5
9f7d48fd36a1493b4c25131f95339bd6
-
SHA1
d6623ce807d0c8edfaa455f978912d2dda9e83ea
-
SHA256
80568be5a0b6b9d96b0dde9a45d9b9ae74f9cd97af8f9ae533904ff804bec8e0
-
SHA512
169b335730e20f35cf0eff52c05c805de2dfc9f66245682bfffbce9ee34237141cc1837e5ecc8e1ca19e66dd128aa027f033161002905042b589aa1a2d86dae0
-
SSDEEP
768:WL0aWbILWCaS+DilhwiVixzYbYge6E8vEgK/JlBVc6KN:WgaMWlhwlcbPnfnkJlBVclN
Malware Config
Extracted
asyncrat
1.0.7
Default
7.tcp.eu.ngrok.io:12728
whrjiouwrhjnwui
-
delay
1
-
install
true
-
install_file
MsEdge.exe
-
install_folder
%Temp%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x0008000000023cbd-10.dat family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 80568be5a0b6b9d96b0dde9a45d9b9ae74f9cd97af8f9ae533904ff804bec8e0.exe -
Executes dropped EXE 1 IoCs
pid Process 3024 MsEdge.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 15 7.tcp.eu.ngrok.io 47 7.tcp.eu.ngrok.io 62 7.tcp.eu.ngrok.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 4320 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1624 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 1192 80568be5a0b6b9d96b0dde9a45d9b9ae74f9cd97af8f9ae533904ff804bec8e0.exe 1192 80568be5a0b6b9d96b0dde9a45d9b9ae74f9cd97af8f9ae533904ff804bec8e0.exe 1192 80568be5a0b6b9d96b0dde9a45d9b9ae74f9cd97af8f9ae533904ff804bec8e0.exe 1192 80568be5a0b6b9d96b0dde9a45d9b9ae74f9cd97af8f9ae533904ff804bec8e0.exe 1192 80568be5a0b6b9d96b0dde9a45d9b9ae74f9cd97af8f9ae533904ff804bec8e0.exe 1192 80568be5a0b6b9d96b0dde9a45d9b9ae74f9cd97af8f9ae533904ff804bec8e0.exe 1192 80568be5a0b6b9d96b0dde9a45d9b9ae74f9cd97af8f9ae533904ff804bec8e0.exe 1192 80568be5a0b6b9d96b0dde9a45d9b9ae74f9cd97af8f9ae533904ff804bec8e0.exe 1192 80568be5a0b6b9d96b0dde9a45d9b9ae74f9cd97af8f9ae533904ff804bec8e0.exe 1192 80568be5a0b6b9d96b0dde9a45d9b9ae74f9cd97af8f9ae533904ff804bec8e0.exe 1192 80568be5a0b6b9d96b0dde9a45d9b9ae74f9cd97af8f9ae533904ff804bec8e0.exe 1192 80568be5a0b6b9d96b0dde9a45d9b9ae74f9cd97af8f9ae533904ff804bec8e0.exe 1192 80568be5a0b6b9d96b0dde9a45d9b9ae74f9cd97af8f9ae533904ff804bec8e0.exe 1192 80568be5a0b6b9d96b0dde9a45d9b9ae74f9cd97af8f9ae533904ff804bec8e0.exe 1192 80568be5a0b6b9d96b0dde9a45d9b9ae74f9cd97af8f9ae533904ff804bec8e0.exe 1192 80568be5a0b6b9d96b0dde9a45d9b9ae74f9cd97af8f9ae533904ff804bec8e0.exe 1192 80568be5a0b6b9d96b0dde9a45d9b9ae74f9cd97af8f9ae533904ff804bec8e0.exe 1192 80568be5a0b6b9d96b0dde9a45d9b9ae74f9cd97af8f9ae533904ff804bec8e0.exe 1192 80568be5a0b6b9d96b0dde9a45d9b9ae74f9cd97af8f9ae533904ff804bec8e0.exe 1192 80568be5a0b6b9d96b0dde9a45d9b9ae74f9cd97af8f9ae533904ff804bec8e0.exe 1192 80568be5a0b6b9d96b0dde9a45d9b9ae74f9cd97af8f9ae533904ff804bec8e0.exe 1192 80568be5a0b6b9d96b0dde9a45d9b9ae74f9cd97af8f9ae533904ff804bec8e0.exe 1192 80568be5a0b6b9d96b0dde9a45d9b9ae74f9cd97af8f9ae533904ff804bec8e0.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1192 80568be5a0b6b9d96b0dde9a45d9b9ae74f9cd97af8f9ae533904ff804bec8e0.exe Token: SeDebugPrivilege 3024 MsEdge.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1192 wrote to memory of 3604 1192 80568be5a0b6b9d96b0dde9a45d9b9ae74f9cd97af8f9ae533904ff804bec8e0.exe 85 PID 1192 wrote to memory of 3604 1192 80568be5a0b6b9d96b0dde9a45d9b9ae74f9cd97af8f9ae533904ff804bec8e0.exe 85 PID 1192 wrote to memory of 3768 1192 80568be5a0b6b9d96b0dde9a45d9b9ae74f9cd97af8f9ae533904ff804bec8e0.exe 87 PID 1192 wrote to memory of 3768 1192 80568be5a0b6b9d96b0dde9a45d9b9ae74f9cd97af8f9ae533904ff804bec8e0.exe 87 PID 3604 wrote to memory of 1624 3604 cmd.exe 89 PID 3604 wrote to memory of 1624 3604 cmd.exe 89 PID 3768 wrote to memory of 4320 3768 cmd.exe 90 PID 3768 wrote to memory of 4320 3768 cmd.exe 90 PID 3768 wrote to memory of 3024 3768 cmd.exe 92 PID 3768 wrote to memory of 3024 3768 cmd.exe 92 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\80568be5a0b6b9d96b0dde9a45d9b9ae74f9cd97af8f9ae533904ff804bec8e0.exe"C:\Users\Admin\AppData\Local\Temp\80568be5a0b6b9d96b0dde9a45d9b9ae74f9cd97af8f9ae533904ff804bec8e0.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "MsEdge" /tr '"C:\Users\Admin\AppData\Local\Temp\MsEdge.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "MsEdge" /tr '"C:\Users\Admin\AppData\Local\Temp\MsEdge.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:1624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAE60.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:4320
-
-
C:\Users\Admin\AppData\Local\Temp\MsEdge.exe"C:\Users\Admin\AppData\Local\Temp\MsEdge.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3024
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD59f7d48fd36a1493b4c25131f95339bd6
SHA1d6623ce807d0c8edfaa455f978912d2dda9e83ea
SHA25680568be5a0b6b9d96b0dde9a45d9b9ae74f9cd97af8f9ae533904ff804bec8e0
SHA512169b335730e20f35cf0eff52c05c805de2dfc9f66245682bfffbce9ee34237141cc1837e5ecc8e1ca19e66dd128aa027f033161002905042b589aa1a2d86dae0
-
Filesize
153B
MD595e44d54b67bb5c72a83bfacdaad906f
SHA1cc2d95fb34306e4f675f697913661eed6a0c8088
SHA2567b349b26ae037922455d1af1f0787b96a4f826a566dfad91044b010972ac948c
SHA5120f70b8560e063615f1fac9f6e9582eaf6087b9e9b6e9e43a3fb147d17f899573c6bcae46015b9bc92807fdb7da1ad0507f06ba904b1e90490ac72ddcfa4612b4