Analysis

  • max time kernel
    128s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 13:31

General

  • Target

    38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe

  • Size

    694KB

  • MD5

    32c67f99f3c95ba5e1816ca208f9b723

  • SHA1

    c1e29ecea3c87d671448b9dbcc8d8c67b0d14b7e

  • SHA256

    38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7

  • SHA512

    578526bda2f08948475726f36bf247aabeb8f3941f95153d6786bc0db6e43bad44502ef1757bae2bb7c6f6bd0a4bd51e9b33ae363be293b75f490a26c03795f8

  • SSDEEP

    12288:btoKggb2iNdvpc++pd1yIBbrk4ct0gdK/5SVns2M2TgN/0s:5oKgK1XpSpGIZn9+YSVsggi

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

37.0.14.198:6161

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    .exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe
    "C:\Users\Admin\AppData\Local\Temp\38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:868
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\nxBIuIS.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2772
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nxBIuIS" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9444.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2680
    • C:\Users\Admin\AppData\Local\Temp\38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe
      "C:\Users\Admin\AppData\Local\Temp\38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2324
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "" /tr '"C:\Users\Admin\AppData\Roaming\.exe"' & exit
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1656
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "" /tr '"C:\Users\Admin\AppData\Roaming\.exe"'
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:1952
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA38F.tmp.bat""
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2292
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:1732
        • C:\Users\Admin\AppData\Roaming\.exe
          "C:\Users\Admin\AppData\Roaming\.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1156
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\nxBIuIS.exe"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2144
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nxBIuIS" /XML "C:\Users\Admin\AppData\Local\Temp\tmp60F5.tmp"
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:1132
          • C:\Users\Admin\AppData\Roaming\.exe
            "C:\Users\Admin\AppData\Roaming\.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1380

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp9444.tmp

    Filesize

    1KB

    MD5

    4f90a7174bb34b400a64202a8c28ab57

    SHA1

    3d78ef9e7468afeb417af90f8aebed71e27669b8

    SHA256

    28bff45b4da73c2901a2388c85e3447680cd6f6541f543f6b2f62be5b0ee03a3

    SHA512

    b2466543740950bc2cb4ccc0194118ba8ea71bc26480fd32405de9bb1aeeb8d09196bd3c2eb5efabcf966cb634102087a892f580d5d9059142e0ace6f7830ea7

  • C:\Users\Admin\AppData\Local\Temp\tmpA38F.tmp.bat

    Filesize

    144B

    MD5

    acc8103d0dfe9d262cbfc7ce6007025a

    SHA1

    baa1a6b5d9be3dc34fe01300228049b8d5d7d02f

    SHA256

    db1ab8f5a6d7354ca04f1ff642722b050caaba5f2c996fbd893b5f75bb01c561

    SHA512

    f4effb51e548a131cf7accb6cd5611dbc5b6f87a0908ec83c79e258cac76c5a80efbf674d701d2b1e392caf0ff82d1a77ad16893192f717f69f63d65c7d7fb11

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    bdd3e8fc4060367e288994d70903d15e

    SHA1

    b933d8d5eb83c20d8c2fb040f3d59a956e075ee8

    SHA256

    e9c0b8ef15d1e685d755126b2cbbaf395a615f284550d1e38ce7edca87af55a6

    SHA512

    b7cb1cf16fb11cd20bf62ab36b25f733b52a205294e26da2f2892d46e72ae9df9f14ffc52e8ee854609520fdae3c0c43c01976caaac8882e6d867fbad24488b3

  • \Users\Admin\AppData\Roaming\.exe

    Filesize

    694KB

    MD5

    32c67f99f3c95ba5e1816ca208f9b723

    SHA1

    c1e29ecea3c87d671448b9dbcc8d8c67b0d14b7e

    SHA256

    38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7

    SHA512

    578526bda2f08948475726f36bf247aabeb8f3941f95153d6786bc0db6e43bad44502ef1757bae2bb7c6f6bd0a4bd51e9b33ae363be293b75f490a26c03795f8

  • memory/868-29-0x0000000074890000-0x0000000074F7E000-memory.dmp

    Filesize

    6.9MB

  • memory/868-1-0x00000000011F0000-0x00000000012A4000-memory.dmp

    Filesize

    720KB

  • memory/868-6-0x0000000000530000-0x000000000053C000-memory.dmp

    Filesize

    48KB

  • memory/868-7-0x0000000000DF0000-0x0000000000E44000-memory.dmp

    Filesize

    336KB

  • memory/868-4-0x000000007489E000-0x000000007489F000-memory.dmp

    Filesize

    4KB

  • memory/868-15-0x0000000000F10000-0x0000000000F24000-memory.dmp

    Filesize

    80KB

  • memory/868-5-0x0000000074890000-0x0000000074F7E000-memory.dmp

    Filesize

    6.9MB

  • memory/868-0-0x000000007489E000-0x000000007489F000-memory.dmp

    Filesize

    4KB

  • memory/868-2-0x0000000074890000-0x0000000074F7E000-memory.dmp

    Filesize

    6.9MB

  • memory/868-3-0x00000000003B0000-0x00000000003D4000-memory.dmp

    Filesize

    144KB

  • memory/1156-43-0x0000000000870000-0x0000000000894000-memory.dmp

    Filesize

    144KB

  • memory/1156-42-0x0000000000D00000-0x0000000000DB4000-memory.dmp

    Filesize

    720KB

  • memory/1380-63-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

  • memory/1380-65-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

  • memory/1380-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2324-18-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

  • memory/2324-20-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

  • memory/2324-22-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

  • memory/2324-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2324-25-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

  • memory/2324-26-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

  • memory/2324-28-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

  • memory/2324-16-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB