Overview

overview

10

Static

static

3

f4d5285b5d...0b.exe

windows7-x64

3

f4d5285b5d...0b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-12-2024 05:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f4d5285b5ddf8b93586572c67c90434c952d9ffd868508d4de0be44377b3bd0b.exe

  • Size

    53KB

  • MD5

    a61b4683de0819ea1759ab9213ac77d7

  • SHA1

    8b96224454aa706139d751816c724a882ac563ed

  • SHA256

    f4d5285b5ddf8b93586572c67c90434c952d9ffd868508d4de0be44377b3bd0b

  • SHA512

    de600e0d26208ecd66e3bb647e9316e2bba2e7b5282c615c603878034f0a5ea6612ca48a82768181fb3fe611659e9f226ad053b7f8970978a7f302ad2dec7f5b

  • SSDEEP

    768:bTA6UyXqdGMaZpbWPU/xHn1ftNSWMyOpcHOl2k5j/FBWKP62r9a8tYcFGVc6K:AvzOLbWmHrlMyEc/WFBXFr9aAGVcl

Score
10/10
asyncratdefaultdiscoveryrat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

Mutex

WindowsProcess2555AV738w30weweew28378

Attributes
  • delay

    1

  • install

    true

  • install_file

    WindowsUserPerformanceMonitor.exe

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/hBHVtPrB

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\f4d5285b5ddf8b93586572c67c90434c952d9ffd868508d4de0be44377b3bd0b.exe
    "C:\Users\Admin\AppData\Local\Temp\f4d5285b5ddf8b93586572c67c90434c952d9ffd868508d4de0be44377b3bd0b.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1404
    • C:\Users\Admin\AppData\Local\Temp\TempApp.exe
      "C:\Users\Admin\AppData\Local\Temp\TempApp.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4984
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsUserPerformanceMonitor" /tr '"C:\Users\Admin\AppData\Roaming\WindowsUserPerformanceMonitor.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3752
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "WindowsUserPerformanceMonitor" /tr '"C:\Users\Admin\AppData\Roaming\WindowsUserPerformanceMonitor.exe"'
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1736
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp99CF.tmp.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4228
        • C:\Windows\system32\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:3176
        • C:\Users\Admin\AppData\Roaming\WindowsUserPerformanceMonitor.exe
          "C:\Users\Admin\AppData\Roaming\WindowsUserPerformanceMonitor.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4556

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\TempApp.exe
    Filesize

    48KB

    MD5

    3d8aafc8ab36b03c90e925e72eb78efb

    SHA1

    03d22f31f27e2de64b6c52f3073d711a0f726035

    SHA256

    b9161b198d8ba4e0c6497e1086b22032b48f851a662e7e46fbc926d57db73e4d

    SHA512

    f316649f4cd3fb778fb58f20ecd32ecc293ae19e7b59ee7182a99635abe3dd6043140a854fa11166ab06a5b24f2e8718e5fc55d30cd53b67497cbdccc6b6375b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp99CF.tmp.bat
    Filesize

    173B

    MD5

    2d879cb812165ba620226904c1b8327b

    SHA1

    bbaff4b3049ea08b376289d61637a0bb0b063797

    SHA256

    010dc9c69a4e569b3dccc91468d75e4a98c062c283c469eea16b6c43d0a84dff

    SHA512

    9dfca4039f2122db17d09eec1e0eb4ea1232518c7d04123f4895077563e7305174e865ed981efc4a91b2053b94e8847039d1a0ca0ad185463502c1104e829ba8

    Download Submit

  • memory/1404-6-0x0000000075180000-0x0000000075930000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1404-3-0x0000000005010000-0x00000000050A2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1404-4-0x00000000050D0000-0x00000000050DA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1404-5-0x0000000075180000-0x0000000075930000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1404-0-0x000000007518E000-0x000000007518F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1404-2-0x00000000056A0000-0x0000000005C44000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1404-1-0x0000000000620000-0x0000000000632000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1404-27-0x000000007518E000-0x000000007518F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1404-31-0x0000000075180000-0x0000000075930000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4984-18-0x00007FF8BC243000-0x00007FF8BC245000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4984-19-0x00000000000E0000-0x00000000000F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4984-20-0x00007FF8BC240000-0x00007FF8BCD01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4984-25-0x00007FF8BC240000-0x00007FF8BCD01000-memory.dmp

    Filesize

    10.8MB

    Download