Analysis
-
max time kernel
146s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 19:11
Static task
static1
Behavioral task
behavioral1
Sample
image.exe
Resource
win7-20240903-en
General
-
Target
image.exe
-
Size
808KB
-
MD5
ae15992ecc241654997b0e4bcfaa07b3
-
SHA1
9ef2cb53adea59c6045a492d7b7317ecb3998373
-
SHA256
cf3dab2a4ba21609762dff658b3b6831f2ae5976adfe0aed8f76090d30c7f1b3
-
SHA512
7654e5a81945f357b252c51189d1ddacc941184a9800723c955a0ed3d463fc82872d31b352184886b9ae20d0b34e906892e765577d6819bcadbfba98f0145ab3
-
SSDEEP
12288:FUDM6VWVHA/L5DnbH22qla5w/yXbxFPkWtslyfZGxrNDFhmlUv2Ju:FUDM6VWKNbH0MW/IbxQ0RK5fv2Ju
Malware Config
Extracted
asyncrat
0.5.7B
Default
185.140.53.131:7171
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
image.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Executes dropped EXE 2 IoCs
pid Process 2844 image.exe 1368 image.exe -
Loads dropped DLL 1 IoCs
pid Process 1260 cmd.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2160 set thread context of 2200 2160 image.exe 35 PID 2844 set thread context of 1368 2844 image.exe 49 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language image.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language image.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language image.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language image.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Delays execution with timeout.exe 3 IoCs
pid Process 2612 timeout.exe 1480 timeout.exe 3060 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3048 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2700 powershell.exe 2160 image.exe 2160 image.exe 2200 image.exe 2200 image.exe 2200 image.exe 2272 powershell.exe 2844 image.exe 2844 image.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2700 powershell.exe Token: SeDebugPrivilege 2160 image.exe Token: SeDebugPrivilege 2200 image.exe Token: SeDebugPrivilege 2272 powershell.exe Token: SeDebugPrivilege 2844 image.exe Token: SeDebugPrivilege 1368 image.exe -
Suspicious use of WriteProcessMemory 62 IoCs
description pid Process procid_target PID 2160 wrote to memory of 2700 2160 image.exe 30 PID 2160 wrote to memory of 2700 2160 image.exe 30 PID 2160 wrote to memory of 2700 2160 image.exe 30 PID 2160 wrote to memory of 2700 2160 image.exe 30 PID 2160 wrote to memory of 2628 2160 image.exe 32 PID 2160 wrote to memory of 2628 2160 image.exe 32 PID 2160 wrote to memory of 2628 2160 image.exe 32 PID 2160 wrote to memory of 2628 2160 image.exe 32 PID 2628 wrote to memory of 2612 2628 cmd.exe 34 PID 2628 wrote to memory of 2612 2628 cmd.exe 34 PID 2628 wrote to memory of 2612 2628 cmd.exe 34 PID 2628 wrote to memory of 2612 2628 cmd.exe 34 PID 2160 wrote to memory of 2200 2160 image.exe 35 PID 2160 wrote to memory of 2200 2160 image.exe 35 PID 2160 wrote to memory of 2200 2160 image.exe 35 PID 2160 wrote to memory of 2200 2160 image.exe 35 PID 2160 wrote to memory of 2200 2160 image.exe 35 PID 2160 wrote to memory of 2200 2160 image.exe 35 PID 2160 wrote to memory of 2200 2160 image.exe 35 PID 2160 wrote to memory of 2200 2160 image.exe 35 PID 2160 wrote to memory of 2200 2160 image.exe 35 PID 2200 wrote to memory of 1160 2200 image.exe 36 PID 2200 wrote to memory of 1160 2200 image.exe 36 PID 2200 wrote to memory of 1160 2200 image.exe 36 PID 2200 wrote to memory of 1160 2200 image.exe 36 PID 2200 wrote to memory of 1260 2200 image.exe 38 PID 2200 wrote to memory of 1260 2200 image.exe 38 PID 2200 wrote to memory of 1260 2200 image.exe 38 PID 2200 wrote to memory of 1260 2200 image.exe 38 PID 1160 wrote to memory of 3048 1160 cmd.exe 40 PID 1160 wrote to memory of 3048 1160 cmd.exe 40 PID 1160 wrote to memory of 3048 1160 cmd.exe 40 PID 1160 wrote to memory of 3048 1160 cmd.exe 40 PID 1260 wrote to memory of 1480 1260 cmd.exe 41 PID 1260 wrote to memory of 1480 1260 cmd.exe 41 PID 1260 wrote to memory of 1480 1260 cmd.exe 41 PID 1260 wrote to memory of 1480 1260 cmd.exe 41 PID 1260 wrote to memory of 2844 1260 cmd.exe 42 PID 1260 wrote to memory of 2844 1260 cmd.exe 42 PID 1260 wrote to memory of 2844 1260 cmd.exe 42 PID 1260 wrote to memory of 2844 1260 cmd.exe 42 PID 2844 wrote to memory of 2272 2844 image.exe 43 PID 2844 wrote to memory of 2272 2844 image.exe 43 PID 2844 wrote to memory of 2272 2844 image.exe 43 PID 2844 wrote to memory of 2272 2844 image.exe 43 PID 2844 wrote to memory of 2156 2844 image.exe 45 PID 2844 wrote to memory of 2156 2844 image.exe 45 PID 2844 wrote to memory of 2156 2844 image.exe 45 PID 2844 wrote to memory of 2156 2844 image.exe 45 PID 2156 wrote to memory of 3060 2156 cmd.exe 47 PID 2156 wrote to memory of 3060 2156 cmd.exe 47 PID 2156 wrote to memory of 3060 2156 cmd.exe 47 PID 2156 wrote to memory of 3060 2156 cmd.exe 47 PID 2844 wrote to memory of 1368 2844 image.exe 49 PID 2844 wrote to memory of 1368 2844 image.exe 49 PID 2844 wrote to memory of 1368 2844 image.exe 49 PID 2844 wrote to memory of 1368 2844 image.exe 49 PID 2844 wrote to memory of 1368 2844 image.exe 49 PID 2844 wrote to memory of 1368 2844 image.exe 49 PID 2844 wrote to memory of 1368 2844 image.exe 49 PID 2844 wrote to memory of 1368 2844 image.exe 49 PID 2844 wrote to memory of 1368 2844 image.exe 49
Processes
-
C:\Users\Admin\AppData\Local\Temp\image.exe"C:\Users\Admin\AppData\Local\Temp\image.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Start-Sleep -Seconds 10;Start-Sleep -Seconds 10;2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 202⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\timeout.exetimeout 203⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2612
-
-
-
C:\Users\Admin\AppData\Local\Temp\image.exeC:\Users\Admin\AppData\Local\Temp\image.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "image" /tr '"C:\Users\Admin\AppData\Roaming\image.exe"' & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "image" /tr '"C:\Users\Admin\AppData\Roaming\image.exe"'4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3048
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC3AD.tmp.bat""3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1480
-
-
C:\Users\Admin\AppData\Roaming\image.exe"C:\Users\Admin\AppData\Roaming\image.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Start-Sleep -Seconds 10;Start-Sleep -Seconds 10;5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 205⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\timeout.exetimeout 206⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3060
-
-
-
C:\Users\Admin\AppData\Roaming\image.exeC:\Users\Admin\AppData\Roaming\image.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1368
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
149B
MD59b13b88164cca11d433da21a831ca4af
SHA1a7a11ec5469d87e88513bb8b2a1d0c0e19499ba1
SHA256e65a5a559e9ce327fc85845362803e9711fec1d3e98179694216236f3b75148e
SHA51211a2f7ba07d96dd33e9889efbe22be34e256df51e5ffad36cc2e6bbdd19b10d8d91604ca7341228c126466adb17a5bace7777b1ff34f068abfe0cb5328b694b6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD595fc81bc72ad63a2018398c3c528929e
SHA13384ebc50de1e64c5916c355618190f67d58229a
SHA256cecd034656289607c018608e8823ac79fb2ae5292a9d5c4d68cff01a43b476fd
SHA512e5af555f7a088de2d8bc439ae09522464f7c888b1e7df0e84393de2f403915bebd7c9263c1cea8365de749f1cb1fa0bf33cb9a5924ce19de70517f250380c273
-
Filesize
808KB
MD5ae15992ecc241654997b0e4bcfaa07b3
SHA19ef2cb53adea59c6045a492d7b7317ecb3998373
SHA256cf3dab2a4ba21609762dff658b3b6831f2ae5976adfe0aed8f76090d30c7f1b3
SHA5127654e5a81945f357b252c51189d1ddacc941184a9800723c955a0ed3d463fc82872d31b352184886b9ae20d0b34e906892e765577d6819bcadbfba98f0145ab3