Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
23-12-2024 14:13
General
-
Target
Discord.exe
-
Size
71KB
-
MD5
045c870906097c7aa54d257382471115
-
SHA1
bea629242fb4facf3fd1de1f86ce3e2811777520
-
SHA256
025ce30902b4a9cade0381c523ac27d67c0598743ba2675e7efd3669ec8ff141
-
SHA512
cf89a37c99c52db276233c0371952c5595448299f7d3d0372f456f5c1dbe3037a2e14d61ef98685739fb71f728879169247afcc9e1da549d31b5bb52407c785c
-
SSDEEP
768:gucNE9IL2C6y+DiPdPiBLVisiW0zUYbhge7tkeGqm77rvEgK/Jrpp6uB3+Vc6KN:Ncy2RCUe0zbbOzeGqCnkJrpp66+VclN
Malware Config
Extracted
asyncrat
1.0.7
Default
185.65.134.165:55160
DcRatMutex_qwqdanchun
-
delay
1
-
install
true
-
install_file
svchost.exe
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Async RAT payload 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Discord.exe"C:\Users\Admin\AppData\Local\Temp\Discord.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB769.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151B
MD54fb3758b179db49c96b4a652b51880b5
SHA1fa96bad011db5fbaed3fea9867d31f53dfbf9921
SHA256b8e3c6e865bb07b9c7d07545667d4272e5d4c7906f7c4ce1b5971faf62728410
SHA5125f1426f4062536d556e148262eb6f657bf638ad0b7fe2db6df0c24aa42387f31f0f6d76b85d2c4c4b1a721376f0fc25fe1096db832f8eccb7f327e94c71c83cd
-
Filesize
71KB
MD5045c870906097c7aa54d257382471115
SHA1bea629242fb4facf3fd1de1f86ce3e2811777520
SHA256025ce30902b4a9cade0381c523ac27d67c0598743ba2675e7efd3669ec8ff141
SHA512cf89a37c99c52db276233c0371952c5595448299f7d3d0372f456f5c1dbe3037a2e14d61ef98685739fb71f728879169247afcc9e1da549d31b5bb52407c785c
-
Filesize
8KB
-
Filesize
96KB
-
Filesize
10.8MB
-
Filesize
10.8MB