Overview

overview

10

Static

static

3

build.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    15s
  • max time network
    18s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    31-12-2024 14:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    build.exe

  • Size

    6.1MB

  • MD5

    e7635fd18fe8720076cbfa1c2291132a

  • SHA1

    36b92c71ba43577bae36cada0123fa27ccfb7df0

  • SHA256

    bdfc9238f4c1c4d26fdd838bd39f0cff4f7628878320b73b1245cc21321615d7

  • SHA512

    f2b613f7db04d3d179ef6ddeb979de64351400b029c11b661da36ee88184277c5c78dea147f4be064e56549a6dd52b7a7b85ea36efc6c249cfcd5453f93bfaad

  • SSDEEP

    196608:7SkSIlLTUcwti7TQl2NgVg01MWAXAkuujCPX9YG9he5GnQCAJKN:ukSopwtQQl2aOtXADu8X9Y95GQLJ

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

51.89.44.68:8848

Mutex

etb3t1tr5n

Attributes
  • delay

    1

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %Temp%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\build.exe
    "C:\Users\Admin\AppData\Local\Temp\build.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4424
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4920
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Executes dropped EXE
      PID:3880

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\svchost.exe
    Filesize

    63KB

    MD5

    67ca41c73d556cc4cfc67fc5b425bbbd

    SHA1

    ada7f812cd581c493630eca83bf38c0f8b32b186

    SHA256

    23d2e491a8c7f2f7f344764e6879d9566c9a3e55a3788038e48b346c068dde5b

    SHA512

    0dceb6468147cd2497adf31843389a78460ed5abe2c5a13488fc55a2d202ee6ce0271821d3cf12bc1f09a4d6b79a737ea3bccfc2bb87f89b3fff6410fa85ec02

    Download Submit

  • memory/4424-0-0x00007FFF50F43000-0x00007FFF50F45000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4424-1-0x000002BCD77A0000-0x000002BCD7DB6000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4424-2-0x00007FFF50F40000-0x00007FFF51A02000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4424-20-0x00007FFF50F43000-0x00007FFF50F45000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4424-21-0x00007FFF50F40000-0x00007FFF51A02000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4920-17-0x0000000000BA0000-0x0000000000BB6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4920-18-0x00007FFF50F40000-0x00007FFF51A02000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4920-19-0x00007FFF50F40000-0x00007FFF51A02000-memory.dmp

    Filesize

    10.8MB

    Download