Analysis
-
max time kernel
613s -
max time network
442s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
02-01-2025 19:35
General
-
Target
earlyBuild.exe
-
Size
6.1MB
-
MD5
c78621d331c1b49744b469ba7dd7f414
-
SHA1
83eb55f7728c7f9d7cd83d398ab1ced176b082b6
-
SHA256
912e2b3852a85d651a08efe238290f759bbadebbc79772b989aaa57b5857e4ee
-
SHA512
cd195b0338659e8d295f9ed2eb8d3002487c3c1320935197dfbcc195e2af8940aec8933251f2e4df3a91ebeeba2fa8074f51b606ccb040200476e6ac467ee0d0
-
SSDEEP
196608:bSkSIlLTUcwti7TQl2NgVg01MWAXAkuujCPX9YG9he5GnQCAJKN:OkSopwtQQl2aOtXADu8X9Y95GQLJ
Malware Config
Extracted
asyncrat
1.0.7
Default
51.89.44.68:8848
etb3t1tr5n
-
delay
1
-
install
true
-
install_file
svchost.exe
-
install_folder
%Temp%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Async RAT payload 1 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 6 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\earlyBuild.exe"C:\Users\Admin\AppData\Local\Temp\earlyBuild.exe"1⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --headless=new --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --disable-gpu --disable-logging2⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe5913cc40,0x7ffe5913cc4c,0x7ffe5913cc583⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-logging --headless=new --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --disable-logging --field-trial-handle=1896,i,4506711015958797290,10811513686207300875,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1892 /prefetch:23⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --field-trial-handle=2056,i,4506711015958797290,10811513686207300875,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2088 /prefetch:33⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --field-trial-handle=2172,i,4506711015958797290,10811513686207300875,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2376 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3068,i,4506711015958797290,10811513686207300875,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3084 /prefetch:13⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3096,i,4506711015958797290,10811513686207300875,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3144 /prefetch:13⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4080,i,4506711015958797290,10811513686207300875,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4076 /prefetch:13⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --field-trial-handle=4696,i,4506711015958797290,10811513686207300875,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4708 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --field-trial-handle=4764,i,4506711015958797290,10811513686207300875,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4780 /prefetch:83⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- System Network Configuration Discovery: Wi-Fi Discovery
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
C:\Windows\system32\findstr.exefindstr All3⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid3⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9222 --headless=new --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --disable-gpu --disable-logging2⤵
- Uses browser remote debugging
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffe53c746f8,0x7ffe53c74708,0x7ffe53c747183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1488,7173768134170749713,10317259383311830232,131072 --disable-features=PaintHolding --disable-logging --headless=new --headless --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --disable-logging --mojo-platform-channel-handle=1496 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1488,7173768134170749713,10317259383311830232,131072 --disable-features=PaintHolding --lang=en-US --service-sandbox-type=none --use-gl=swiftshader-webgl --headless --disable-logging --mojo-platform-channel-handle=1724 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-logging --remote-debugging-port=9222 --allow-pre-commit-input --field-trial-handle=1488,7173768134170749713,10317259383311830232,131072 --disable-features=PaintHolding --disable-gpu-compositing --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1968 /prefetch:13⤵
- Uses browser remote debugging
-
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c2388512-8baf-47fc-9f61-22ab7aba5f63.bat"2⤵
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 29723⤵
- Kills process with taskkill
-
-
C:\Windows\system32\timeout.exetimeout /T 2 /NOBREAK3⤵
- Delays execution with timeout.exe
-
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
1Netsh Helper DLL
1Modify Authentication Process
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
152B
MD50078ca5f62c48540d631c8153442f437
SHA16047371463ae9348afb990c52cdd2a40e6ed46c0
SHA256c1aefd128588b58af052657bee5f2e6f477ddc16ffb9623861ab98f792a60e8c
SHA5124de3a06e9a2b4fe75a98fe7aeae75279652267ca95461c63af3b53bafd2fd0929471c579899067dcb7027193fedb05bb357b745f9cc1cb000bd40419a19324a0
-
Filesize
220B
MD52ab1fd921b6c195114e506007ba9fe05
SHA190033c6ee56461ca959482c9692cf6cfb6c5c6af
SHA256c79cfdd6d0757eb52fbb021e7f0da1a2a8f1dd81dcd3a4e62239778545a09ecc
SHA5124f0570d7c7762ecb4dcf3171ae67da3c56aa044419695e5a05f318e550f1a910a616f5691b15abfe831b654718ec97a534914bd172aa7a963609ebd8e1fae0a5
-
Filesize
6KB
MD5c9c3d516d2d6b1ae4aa82d30a8d88df5
SHA11d4686fcfd73561f2831b694d46970482de9e5e2
SHA256c08d84b922fee399b0789cced5b0a4998d7250f3f7f4ef76febd6ba1fd1ee0fa
SHA5123c602eae150154eefb8adcc386eb1a4ad7d7430d3f8caf5099c12a182d0c6fe11110ef4b44f22b5c707db326bb49ef2b950438b7066c53107d5127d731ed269e
-
Filesize
2KB
MD5e03e9d578e849f150d0592a28455c49d
SHA1f80d6208b0d5109d218a9312ad7f9f41ecacc24d
SHA256b1022dff05f823e6385d71d8c8aa1fcbf9aea98a41dc2300c13d53a99483d984
SHA51265341d5e14b595a35b90402bb9432261f9fffccd8eb06a00a0cc96d9fb2d9de43c17b9f47d27ad134917d1ebadb0deb19d677d029d259be5ec252f104b5a8033
-
Filesize
3KB
MD59d503d640db70b6d6aeab44b376e382a
SHA156920fe43a3cc0cb8673ffa6f56e123fc0ea97aa
SHA25602e727b97a4a3593007e7091dc7381099bc241a17a51777a0df160375796354f
SHA5125021d7f75e6db8202e140dd2b8b0bdb1841d32c1d4b33dae5f3078aab74a923e290dc215641e8d8ebe35256603ad30e7c6282369f3ae04b68565f056d3e5792c
-
Filesize
3KB
MD5ece59cad122ed8f4d93e7237fae0f949
SHA1519258e40ffa0aae649575396f7b1d4f64d1a5a8
SHA2564de8e030e7ea4049ae7526b7d20a0866e4ec31328e94b80ed0b568d9c5564ecb
SHA512441fca41a95604f3f6ef493a4fb983ec7b154d194ab92c45e3381120cb8fe8be3751ea8b3aef3e83b37510b03d3c7004a2acc380577560b20d3af7fea0edd3f0
-
Filesize
4KB
MD515be6926bb7d87a4067854dca1527834
SHA1755839cd014106512313a811476671147a1f44f5
SHA2565b3bc6bacd8c1797d6195a53c84196f7d58c4373a6652d51df07ad81e37ae79a
SHA51210ef7b9eccb81deca6be6e5febc427f37b0f2e09b0e99f65e30f491861700e3cb918b968223f6e81e276dfd6e113f1fe66ab3972c4e56e6f842b857e8af13e62
-
Filesize
349B
MD519e75f3dae29cc137a802b15e4a2fbc7
SHA10f586ed27178a446ba9511ea920712c567e1853c
SHA25679d2d4322ff86aad265401f645cbb9fc67c05f72267e855d924150e25fbd86b4
SHA5127665a0fed618265fcb9b759f163be1c6035889789a38fe7ac7f71379087d3275abc5ac9dda151f4e904817648d4fee2f336bdd0730467ed35e678f8a4490af66
-
Filesize
978B
MD5591a6e920feb3292aca8f2300d2a6d9b
SHA13ee3b89687c621a4adc9ef7eebf1d70a4b4f0b44
SHA2565b0ded540b2239c3753fb78f0577f57d8aa51b8ecb9a32ce76e9b5f87cd83119
SHA5120a2dc8b4647c7208b28e1af572b82752dc4ff41215885961cf6e5776b1cd19b0cbfff0bdeda46f74cad8c4a08fcf1f19c35c1e66fea79e167856bb1bf7f31de1
-
Filesize
2B
MD5c20ad4d76fe97759aa27a0c99bff6710
SHA17b52009b64fd0a2a49e6d8a939753077792b0554
SHA2566b51d431df5d7f141cbececcf79edf3dd861c3b4069f0b11661a3eefacbba918
SHA5125aadb45520dcd8726b2822a7a78bb53d794f557199d5d4abdedd2c55a4bd6ca73607605c558de3db80c8e86c3196484566163ed1327e82e8b6757d1932113cb8
-
Filesize
63KB
MD567ca41c73d556cc4cfc67fc5b425bbbd
SHA1ada7f812cd581c493630eca83bf38c0f8b32b186
SHA25623d2e491a8c7f2f7f344764e6879d9566c9a3e55a3788038e48b346c068dde5b
SHA5120dceb6468147cd2497adf31843389a78460ed5abe2c5a13488fc55a2d202ee6ce0271821d3cf12bc1f09a4d6b79a737ea3bccfc2bb87f89b3fff6410fa85ec02
-
Filesize
10.8MB
-
Filesize
88KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
6.1MB
-
Filesize
712KB
-
Filesize
272KB
-
Filesize
104KB
-
Filesize
640KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB