Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 19:11
Static task
static1
Behavioral task
behavioral1
Sample
image.exe
Resource
win7-20240903-en
General
-
Target
image.exe
-
Size
808KB
-
MD5
ae15992ecc241654997b0e4bcfaa07b3
-
SHA1
9ef2cb53adea59c6045a492d7b7317ecb3998373
-
SHA256
cf3dab2a4ba21609762dff658b3b6831f2ae5976adfe0aed8f76090d30c7f1b3
-
SHA512
7654e5a81945f357b252c51189d1ddacc941184a9800723c955a0ed3d463fc82872d31b352184886b9ae20d0b34e906892e765577d6819bcadbfba98f0145ab3
-
SSDEEP
12288:FUDM6VWVHA/L5DnbH22qla5w/yXbxFPkWtslyfZGxrNDFhmlUv2Ju:FUDM6VWKNbH0MW/IbxQ0RK5fv2Ju
Malware Config
Extracted
asyncrat
0.5.7B
Default
185.140.53.131:7171
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
image.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation image.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation image.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation image.exe -
Executes dropped EXE 2 IoCs
pid Process 540 image.exe 3204 image.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1080 set thread context of 1412 1080 image.exe 104 PID 540 set thread context of 3204 540 image.exe 117 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language image.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language image.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language image.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language image.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Delays execution with timeout.exe 3 IoCs
pid Process 4340 timeout.exe 3092 timeout.exe 2964 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4504 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 3768 powershell.exe 3768 powershell.exe 1080 image.exe 1080 image.exe 1412 image.exe 1412 image.exe 1412 image.exe 1412 image.exe 1412 image.exe 1412 image.exe 1412 image.exe 1412 image.exe 1412 image.exe 1412 image.exe 1412 image.exe 1412 image.exe 1412 image.exe 1412 image.exe 1412 image.exe 1412 image.exe 1412 image.exe 1412 image.exe 1412 image.exe 1412 image.exe 1412 image.exe 4924 powershell.exe 4924 powershell.exe 540 image.exe 540 image.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 3768 powershell.exe Token: SeDebugPrivilege 1080 image.exe Token: SeDebugPrivilege 1412 image.exe Token: SeDebugPrivilege 4924 powershell.exe Token: SeDebugPrivilege 540 image.exe Token: SeDebugPrivilege 3204 image.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 1080 wrote to memory of 3768 1080 image.exe 83 PID 1080 wrote to memory of 3768 1080 image.exe 83 PID 1080 wrote to memory of 3768 1080 image.exe 83 PID 1080 wrote to memory of 4256 1080 image.exe 98 PID 1080 wrote to memory of 4256 1080 image.exe 98 PID 1080 wrote to memory of 4256 1080 image.exe 98 PID 4256 wrote to memory of 2964 4256 cmd.exe 100 PID 4256 wrote to memory of 2964 4256 cmd.exe 100 PID 4256 wrote to memory of 2964 4256 cmd.exe 100 PID 1080 wrote to memory of 1412 1080 image.exe 104 PID 1080 wrote to memory of 1412 1080 image.exe 104 PID 1080 wrote to memory of 1412 1080 image.exe 104 PID 1080 wrote to memory of 1412 1080 image.exe 104 PID 1080 wrote to memory of 1412 1080 image.exe 104 PID 1080 wrote to memory of 1412 1080 image.exe 104 PID 1080 wrote to memory of 1412 1080 image.exe 104 PID 1080 wrote to memory of 1412 1080 image.exe 104 PID 1412 wrote to memory of 220 1412 image.exe 105 PID 1412 wrote to memory of 220 1412 image.exe 105 PID 1412 wrote to memory of 220 1412 image.exe 105 PID 1412 wrote to memory of 3712 1412 image.exe 107 PID 1412 wrote to memory of 3712 1412 image.exe 107 PID 1412 wrote to memory of 3712 1412 image.exe 107 PID 220 wrote to memory of 4504 220 cmd.exe 109 PID 220 wrote to memory of 4504 220 cmd.exe 109 PID 220 wrote to memory of 4504 220 cmd.exe 109 PID 3712 wrote to memory of 4340 3712 cmd.exe 110 PID 3712 wrote to memory of 4340 3712 cmd.exe 110 PID 3712 wrote to memory of 4340 3712 cmd.exe 110 PID 3712 wrote to memory of 540 3712 cmd.exe 111 PID 3712 wrote to memory of 540 3712 cmd.exe 111 PID 3712 wrote to memory of 540 3712 cmd.exe 111 PID 540 wrote to memory of 4924 540 image.exe 112 PID 540 wrote to memory of 4924 540 image.exe 112 PID 540 wrote to memory of 4924 540 image.exe 112 PID 540 wrote to memory of 4908 540 image.exe 114 PID 540 wrote to memory of 4908 540 image.exe 114 PID 540 wrote to memory of 4908 540 image.exe 114 PID 4908 wrote to memory of 3092 4908 cmd.exe 116 PID 4908 wrote to memory of 3092 4908 cmd.exe 116 PID 4908 wrote to memory of 3092 4908 cmd.exe 116 PID 540 wrote to memory of 3204 540 image.exe 117 PID 540 wrote to memory of 3204 540 image.exe 117 PID 540 wrote to memory of 3204 540 image.exe 117 PID 540 wrote to memory of 3204 540 image.exe 117 PID 540 wrote to memory of 3204 540 image.exe 117 PID 540 wrote to memory of 3204 540 image.exe 117 PID 540 wrote to memory of 3204 540 image.exe 117 PID 540 wrote to memory of 3204 540 image.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\image.exe"C:\Users\Admin\AppData\Local\Temp\image.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Start-Sleep -Seconds 10;Start-Sleep -Seconds 10;2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3768
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 202⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\SysWOW64\timeout.exetimeout 203⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2964
-
-
-
C:\Users\Admin\AppData\Local\Temp\image.exeC:\Users\Admin\AppData\Local\Temp\image.exe2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "image" /tr '"C:\Users\Admin\AppData\Roaming\image.exe"' & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "image" /tr '"C:\Users\Admin\AppData\Roaming\image.exe"'4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4504
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2507.tmp.bat""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4340
-
-
C:\Users\Admin\AppData\Roaming\image.exe"C:\Users\Admin\AppData\Roaming\image.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Start-Sleep -Seconds 10;Start-Sleep -Seconds 10;5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4924
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 205⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\timeout.exetimeout 206⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3092
-
-
-
C:\Users\Admin\AppData\Roaming\image.exeC:\Users\Admin\AppData\Roaming\image.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3204
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
710B
MD5d5a866e73c386c414e40fb9349fe3a6d
SHA14e1995053aa666a5393c89921a20ead4a887dd9c
SHA256e94090c92f919c88dcde9c787b1fe5e27527c5e5de3e92ccef6abd99e59c7bbf
SHA512203690b222fa96968f9fc3b87007d95dfa58cce0a812c0d0f8964c4e64e5c8e070c189c9bbf2db770290e790afd8a09e03c562e8d9c8143b8a766ab840a13a19
-
Filesize
1KB
MD54280e36a29fa31c01e4d8b2ba726a0d8
SHA1c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4
-
Filesize
53KB
MD506ad34f9739c5159b4d92d702545bd49
SHA19152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92
-
Filesize
16KB
MD52658338e640a17393bc0994ce3645ec5
SHA12407ad8c11b22ca0aaf4a22f0b7b8004e9011503
SHA256c283eed214d00de32f289bfd2a9db73e8cc816b9c2466b48fb15378f29f57959
SHA512b573960e5186b8b7e6b3a7a026f06266969d91e5c6e42f51bf8d3cc08095c502221ce3576c6d8cf277c8c6dbc16860289a851b6b95050759a648df23f363ce9e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
149B
MD50e5252bc497f89ad0181a93fe23be1a2
SHA15386dd921796591c78a57f6389c529c3feb647a5
SHA256907f3254818e7498e1312382597b704a15e8d9bc6dc39fd04479dec054cbb97c
SHA512503945c1e2001bbc63eb416c14f3c551726872da13219a7c77ae4804e36b1c614391c754503c10271b126d5b30de86cef62aca385b2e9f238a1a1271e1389386
-
Filesize
808KB
MD5ae15992ecc241654997b0e4bcfaa07b3
SHA19ef2cb53adea59c6045a492d7b7317ecb3998373
SHA256cf3dab2a4ba21609762dff658b3b6831f2ae5976adfe0aed8f76090d30c7f1b3
SHA5127654e5a81945f357b252c51189d1ddacc941184a9800723c955a0ed3d463fc82872d31b352184886b9ae20d0b34e906892e765577d6819bcadbfba98f0145ab3