Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2024 10:25

General

  • Target

    563dd94590408df258e1b8364870432b47eb85eac99ee57d252114a726c863f3.exe

  • Size

    2.9MB

  • MD5

    cb6633f84d025274ebfba538e8d1c372

  • SHA1

    098dd07b8ec18dbe2b8f957307aa344c690af16d

  • SHA256

    563dd94590408df258e1b8364870432b47eb85eac99ee57d252114a726c863f3

  • SHA512

    c94789933c37c0c2c746b42dae70f0b387e42972b7468c257d58f35327e9e5e46b72fbf893a369cb6cc87de6a88f56307815b1db420959ce4aa65e07aceddb6c

  • SSDEEP

    49152:3secMhf75LxU9wBUcIlKSeY36ZUdEcA5w5FeIY0gHGf8GlFSI4v1YojKr:cDMLEwBUVcx5UGdw5FeI1xf8GTSI4e

Score
10/10

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • Async RAT payload 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\563dd94590408df258e1b8364870432b47eb85eac99ee57d252114a726c863f3.exe
    "C:\Users\Admin\AppData\Local\Temp\563dd94590408df258e1b8364870432b47eb85eac99ee57d252114a726c863f3.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2248
    • C:\Users\Admin\AppData\Local\Temp\MiniMailViewer.exe
      "C:\Users\Admin\AppData\Local\Temp\MiniMailViewer.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4612
    • C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
      "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4824
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Runtime Broker" /tr '"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"' & exit
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2452
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "Runtime Broker" /tr '"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"'
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:1744
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8A6.tmp.bat""
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1600
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:3324
        • C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
          "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4216

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Runtime Broker.exe.log

    Filesize

    522B

    MD5

    acc9090417037dfa2a55b46ed86e32b8

    SHA1

    53fa6fb25fb3e88c24d2027aca6ae492b2800a4d

    SHA256

    2412679218bb0a7d05ceee32869bbb223619bde9966c4c460a68304a3367724b

    SHA512

    d51f7085ec147c708f446b9fb6923cd2fb64596d354ed929e125b30ace57c8cb3217589447a36960e5d3aea87a4e48aaa82c7509eced6d6c2cecd71fcfe3697b

  • C:\Users\Admin\AppData\Local\Temp\MiniMailViewer.exe

    Filesize

    2.8MB

    MD5

    9d6468123f22e9622c66eb66e2919ce4

    SHA1

    8ff50b94f5327c4e246e1d422f18caadc510797a

    SHA256

    d5a306dafe4778e26be59b37a4146225b6ff91b27ebab60030c44db32d3f4c4d

    SHA512

    72a220665748b7eae980e5ee813fd033e94e4a384a6f3ad5306a87a341bc91c2954578ddc8e1891299827ec022b518c1ae29c85cf220b7b50421d9fe4a16ede9

  • C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

    Filesize

    145KB

    MD5

    6b085dea8173ba1ed3f10d003a0866b9

    SHA1

    2d3ae97f63afb748e1557e90c38e0954a0086431

    SHA256

    ad2d510414d17508c57bb797de20ec9164cde2a3710b653edf7eb6bd8bf1a1f0

    SHA512

    83e6c84db37c2de26c6ce0839c8c03a83f831029556c53448d0e8ca006f3258b1de763148abe0f04c5d7b05fb8814f5cfd9d26c036b364c5858f6f2637e90cd5

  • C:\Users\Admin\AppData\Local\Temp\tmp8A6.tmp.bat

    Filesize

    157B

    MD5

    58b64296c8e168196037d2441e9f41d1

    SHA1

    fe3385297284291ef444f5b7adb0ad52ad3f756d

    SHA256

    da1b5bd08baf5fd2bfbc86c2d5cc4caa2f1928f240abd42d2e9e56db1db89b10

    SHA512

    34036b2c4d9a3435b8a07d128b181009a169b97bd4e2e319753575b64bb69747b975035fd9e5f070c8c3818e34c5eb62468bd4822a3bbda0729a9c2cf7a6247b

  • memory/2248-33-0x00007FFBBD680000-0x00007FFBBE141000-memory.dmp

    Filesize

    10.8MB

  • memory/2248-1-0x0000000000020000-0x0000000000318000-memory.dmp

    Filesize

    3.0MB

  • memory/2248-4-0x00007FFBBD680000-0x00007FFBBE141000-memory.dmp

    Filesize

    10.8MB

  • memory/2248-0-0x00007FFBBD683000-0x00007FFBBD685000-memory.dmp

    Filesize

    8KB

  • memory/4612-41-0x0000000007010000-0x0000000007048000-memory.dmp

    Filesize

    224KB

  • memory/4612-40-0x0000000006410000-0x0000000006418000-memory.dmp

    Filesize

    32KB

  • memory/4612-55-0x0000000075110000-0x00000000758C0000-memory.dmp

    Filesize

    7.7MB

  • memory/4612-35-0x0000000009920000-0x00000000099D8000-memory.dmp

    Filesize

    736KB

  • memory/4612-31-0x0000000007850000-0x0000000007922000-memory.dmp

    Filesize

    840KB

  • memory/4612-36-0x0000000008920000-0x0000000008ABE000-memory.dmp

    Filesize

    1.6MB

  • memory/4612-37-0x00000000075F0000-0x000000000762A000-memory.dmp

    Filesize

    232KB

  • memory/4612-38-0x0000000007700000-0x00000000077BA000-memory.dmp

    Filesize

    744KB

  • memory/4612-39-0x0000000007650000-0x0000000007678000-memory.dmp

    Filesize

    160KB

  • memory/4612-34-0x0000000075110000-0x00000000758C0000-memory.dmp

    Filesize

    7.7MB

  • memory/4612-18-0x0000000000700000-0x00000000009DE000-memory.dmp

    Filesize

    2.9MB

  • memory/4612-42-0x0000000006FD0000-0x0000000006FDE000-memory.dmp

    Filesize

    56KB

  • memory/4612-54-0x000000007511E000-0x000000007511F000-memory.dmp

    Filesize

    4KB

  • memory/4612-17-0x000000007511E000-0x000000007511F000-memory.dmp

    Filesize

    4KB

  • memory/4824-30-0x00000000005D0000-0x00000000005FA000-memory.dmp

    Filesize

    168KB

  • memory/4824-48-0x0000000075110000-0x00000000758C0000-memory.dmp

    Filesize

    7.7MB

  • memory/4824-43-0x0000000004EF0000-0x0000000004F8C000-memory.dmp

    Filesize

    624KB

  • memory/4824-32-0x0000000075110000-0x00000000758C0000-memory.dmp

    Filesize

    7.7MB