Overview

overview

10

Static

static

10

cd15ddd8aa...92.exe

windows7-x64

10

cd15ddd8aa...92.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-12-2024 20:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cd15ddd8aa45ad1acc1bf1909db65a38ae8581e249eb06c1148b54e4d1db7e92.exe

  • Size

    61KB

  • MD5

    a2c0aac6a28d606b4e0e6b9b2c9010d2

  • SHA1

    68fd191a7a8f91b8c2dc719a508f45d44c634071

  • SHA256

    cd15ddd8aa45ad1acc1bf1909db65a38ae8581e249eb06c1148b54e4d1db7e92

  • SHA512

    9a340cf7084598fadef7e335b7fd8f7b60e55a83e0d41ff2d3381d190a8c507dd876faf52b4b411054bf4ba768c982707eef3d957d8393eccc3210dfcf6749cc

  • SSDEEP

    1536:8F8JsI94/CcIAVBjl03bCPSirh18n3bNEx+:m8JsZCcIAzjl03bCPrh18rNEE

Score
10/10
asyncratdiscoveryrat

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cd15ddd8aa45ad1acc1bf1909db65a38ae8581e249eb06c1148b54e4d1db7e92.exe
    "C:\Users\Admin\AppData\Local\Temp\cd15ddd8aa45ad1acc1bf1909db65a38ae8581e249eb06c1148b54e4d1db7e92.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2988
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "girlshelpgirls3" /tr '"C:\Users\Admin\AppData\Roaming\girlshelpgirls3.exe"' & exit
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1664
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "girlshelpgirls3" /tr '"C:\Users\Admin\AppData\Roaming\girlshelpgirls3.exe"'
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:4532
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE445.tmp.bat""
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4084
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:5020
      • C:\Users\Admin\AppData\Roaming\girlshelpgirls3.exe
        "C:\Users\Admin\AppData\Roaming\girlshelpgirls3.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1656

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpE445.tmp.bat
    Filesize

    159B

    MD5

    1ae40f6c81e256f2f5e4207078a913bf

    SHA1

    6aa5195fbfd2aab2b7c929e3683ca87edbeb1ec0

    SHA256

    5a6ada6e3fa94d3f5725dac96e0739a2df64182e25e0ec2c8f30699f184f1906

    SHA512

    b982f8dceb4bc0025767828133e37e5fa9cdafeeebeece6b4e37c5068ca69bc14981b30d6f05dc223f1746c518571c946c078b32e39b4ca453d5b484d5cf4709

    Download Submit

  • C:\Users\Admin\AppData\Roaming\girlshelpgirls3.exe
    Filesize

    61KB

    MD5

    a2c0aac6a28d606b4e0e6b9b2c9010d2

    SHA1

    68fd191a7a8f91b8c2dc719a508f45d44c634071

    SHA256

    cd15ddd8aa45ad1acc1bf1909db65a38ae8581e249eb06c1148b54e4d1db7e92

    SHA512

    9a340cf7084598fadef7e335b7fd8f7b60e55a83e0d41ff2d3381d190a8c507dd876faf52b4b411054bf4ba768c982707eef3d957d8393eccc3210dfcf6749cc

    Download Submit

  • memory/1656-13-0x00000000748A0000-0x0000000075050000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1656-14-0x00000000748A0000-0x0000000075050000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2988-0-0x00000000748AE000-0x00000000748AF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2988-1-0x0000000000340000-0x0000000000356000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2988-2-0x00000000748A0000-0x0000000075050000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2988-3-0x0000000004D50000-0x0000000004DEC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2988-9-0x00000000748A0000-0x0000000075050000-memory.dmp

    Filesize

    7.7MB

    Download