Analysis
-
max time kernel
18s -
max time network
20s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 06:24
General
-
Target
iio.exe
-
Size
47KB
-
MD5
737848c12a722379d585dc4c05c0c382
-
SHA1
235ecf4b2a37303201eb08e4e5c8f4a5831b5e58
-
SHA256
9650473b3a6d1d9478797e85cd7ad79c071425d2a71014a874caedef435d1980
-
SHA512
680c28e49985f13593d402f6b7fcce56928dac2a5644342042f293c3603abe82905d53267b9b46a6f7a009fcbd2cf1d3e68abb498fa4f75c39ec0b8b90fd47fd
-
SSDEEP
768:KanemsORjPrinbfh7uKqaoRpPLmmN3TeWkuvCbH0bme4RJE5L4cDZ9f+:KanemsOR7xaApxhkuvaUbme4zArd9f+
Malware Config
Extracted
asyncrat
0.5.7B
SYR
147.185.221.24:6606
147.185.221.24:7707
147.185.221.24:8808
147.185.221.24:33931
Tg31N8yl8KBD
-
delay
3
-
install
true
-
install_file
Win32.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x0007000000023c94-11.dat family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation iio.exe -
Executes dropped EXE 1 IoCs
pid Process 1356 Win32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1068 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1752 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 4520 iio.exe 4520 iio.exe 4520 iio.exe 4520 iio.exe 4520 iio.exe 4520 iio.exe 4520 iio.exe 4520 iio.exe 4520 iio.exe 4520 iio.exe 4520 iio.exe 4520 iio.exe 4520 iio.exe 4520 iio.exe 4520 iio.exe 4520 iio.exe 4520 iio.exe 4520 iio.exe 4520 iio.exe 4520 iio.exe 4520 iio.exe 4520 iio.exe 4520 iio.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4520 iio.exe Token: SeDebugPrivilege 1356 Win32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4520 wrote to memory of 3680 4520 iio.exe 85 PID 4520 wrote to memory of 3680 4520 iio.exe 85 PID 4520 wrote to memory of 3680 4520 iio.exe 85 PID 4520 wrote to memory of 3868 4520 iio.exe 87 PID 4520 wrote to memory of 3868 4520 iio.exe 87 PID 4520 wrote to memory of 3868 4520 iio.exe 87 PID 3868 wrote to memory of 1068 3868 cmd.exe 89 PID 3868 wrote to memory of 1068 3868 cmd.exe 89 PID 3868 wrote to memory of 1068 3868 cmd.exe 89 PID 3680 wrote to memory of 1752 3680 cmd.exe 90 PID 3680 wrote to memory of 1752 3680 cmd.exe 90 PID 3680 wrote to memory of 1752 3680 cmd.exe 90 PID 3868 wrote to memory of 1356 3868 cmd.exe 91 PID 3868 wrote to memory of 1356 3868 cmd.exe 91 PID 3868 wrote to memory of 1356 3868 cmd.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\iio.exe"C:\Users\Admin\AppData\Local\Temp\iio.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Win32" /tr '"C:\Users\Admin\AppData\Roaming\Win32.exe"' & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Win32" /tr '"C:\Users\Admin\AppData\Roaming\Win32.exe"'3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1752
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA95F.tmp.bat""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1068
-
-
C:\Users\Admin\AppData\Roaming\Win32.exe"C:\Users\Admin\AppData\Roaming\Win32.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1356
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
149B
MD54b39e2dcb21ce42ceaa977d779aa0835
SHA1db06dc026423d8a81409b65dc732377c419214a9
SHA25682294ba8cbcfedd0c207ebae45e9b9160ef0e3cba0a51f4c43cbc2d9396ec6c6
SHA5128cbe6cc9d173d6ab60fed7b464aab4a66fb42b42eb040f0a7a7ece88f850cbb2b1c16218e153ebeaa0be731e0900832c685a341e2553caf39fb192f83c7b17bc
-
Filesize
47KB
MD5737848c12a722379d585dc4c05c0c382
SHA1235ecf4b2a37303201eb08e4e5c8f4a5831b5e58
SHA2569650473b3a6d1d9478797e85cd7ad79c071425d2a71014a874caedef435d1980
SHA512680c28e49985f13593d402f6b7fcce56928dac2a5644342042f293c3603abe82905d53267b9b46a6f7a009fcbd2cf1d3e68abb498fa4f75c39ec0b8b90fd47fd