Overview

overview

10

Static

static

3

injection.exe

windows7-x64

10

injection.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    27-12-2024 04:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    injection.exe

  • Size

    264KB

  • MD5

    a0051fa6f5190c984a269d026a47e7b4

  • SHA1

    380cbbddfcac3fb22bd78f60bf8445f1f1634b94

  • SHA256

    7d739906ed3602a3617329cf9a8c314c4bf0cb898923e53137d6b25b2e3e4595

  • SHA512

    4cc10e504d5351fae69e3a918a9fd4386e10f3e73723ad84989e2fe23ac32fb3e60bfd3a6e777e7bc17f448331393774e31570596ca270307f0d7a250e00d1e0

  • SSDEEP

    3072:Vj+C7lQ52Mrb/x5xrzQdUJ+fYy8xDVY6OVfNoteAPEHBAnpK37nXx8b0uaQ7nlPt:V77MrvxAdU+IFXOOev8tDlPOvXzx1a

Score
10/10
asyncratdefaultexecutionrat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

Mutex

lfrlrahocljxyqyr

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/xFvrV0SD

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\injection.exe
    "C:\Users\Admin\AppData\Local\Temp\injection.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2556
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SearchApp.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:280
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SearchApp.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1544
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {0A896017-683F-4CD7-89A6-EE1A51DE426F} S-1-5-21-1163522206-1469769407-485553996-1000:PJCSDMRP\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3044
    • C:\Users\Admin\AppData\Roaming\SearchApp.exe
      C:\Users\Admin\AppData\Roaming\SearchApp.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\55ZUJ431XSU8MIS26A8U.temp
    Filesize

    7KB

    MD5

    f8d12ccc6e969a5c566c13bc51ff7a42

    SHA1

    5ce84b2aec381f04c8397a9066020cc2fb78c963

    SHA256

    ba999977629614e43892c27c80fbef09b4f292e0e9b6be81135c485836c04412

    SHA512

    33b1753d1a7ac0c1cefc12c6236fb1c074146778b179f8c5a8d84ccd0c5a19095aef021e9af5097df5046c5e9b80ed42950f642d8ee25f8fcf13f81d525a6076

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SearchApp.exe
    Filesize

    264KB

    MD5

    a0051fa6f5190c984a269d026a47e7b4

    SHA1

    380cbbddfcac3fb22bd78f60bf8445f1f1634b94

    SHA256

    7d739906ed3602a3617329cf9a8c314c4bf0cb898923e53137d6b25b2e3e4595

    SHA512

    4cc10e504d5351fae69e3a918a9fd4386e10f3e73723ad84989e2fe23ac32fb3e60bfd3a6e777e7bc17f448331393774e31570596ca270307f0d7a250e00d1e0

    Download Submit

  • memory/280-6-0x0000000002990000-0x0000000002A10000-memory.dmp

    Filesize

    512KB

    Download

  • memory/280-7-0x000000001B530000-0x000000001B812000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/280-8-0x0000000002250000-0x0000000002258000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1544-14-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1544-15-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2556-0-0x000007FEF5E73000-0x000007FEF5E74000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2556-1-0x0000000000A50000-0x0000000000A98000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2556-18-0x000000001B170000-0x000000001B1F0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2856-22-0x00000000001D0000-0x0000000000218000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2856-23-0x00000000005C0000-0x00000000005D8000-memory.dmp

    Filesize

    96KB

    Download