Overview

overview

10

Static

static

3

Order Deli...25.exe

windows7-x64

10

Order Deli...25.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-01-2025 16:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Order Delivery- 1.6.2025.exe

  • Size

    719KB

  • MD5

    3e1c3afc24c1772f2a911f0ba3f0cd97

  • SHA1

    8d4f335aa9ad3600bb65a8ab43275ce3d02fd9b3

  • SHA256

    2559430bdf73cfe99051af2529d80c9691b641063fe0dd347270e2dff7553479

  • SHA512

    36f11963360b3fba19b93b16cd19bf67e24887df96d2fd7797575d7c77bdf28b41c65fed042c9dd330dd358a87b4deacbcdebf9ffb7fce96c52fe254140b1ef6

  • SSDEEP

    12288:9crNS33L10QdrXi4P7r9r/+ppppppppppppppppppppppppppppp0GHpnzDRLI3r:ANA3R5drXj1qHpzDRyEyon7Y1aJ+eW

Score
10/10
asyncratdefault01discoveryrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default01

C2

93.123.109.235:8747

93.123.109.235:7477

woolingbrin.systes.net:8747

woolingbrin.systes.net:7477
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    cicj.exe

  • install_folder

    %Temp%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Order Delivery- 1.6.2025.exe
    "C:\Users\Admin\AppData\Local\Temp\Order Delivery- 1.6.2025.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3112
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\mysfgdf.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1268
      • C:\Users\Admin\AppData\Roaming\sdrtzd.sfx.exe
        sdrtzd.sfx.exe -pyhtgfredsweafupbodcsyRgeyhrntdestyuhngfszhvqxsdfHbgnmeK -dC:\Users\Admin\AppData\Roaming
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:376
        • C:\Users\Admin\AppData\Roaming\sdrtzd.exe
          "C:\Users\Admin\AppData\Roaming\sdrtzd.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:552
          • C:\Users\Admin\AppData\Roaming\sdrtzd.exe
            C:\Users\Admin\AppData\Roaming\sdrtzd.exe
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2520
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "cicj" /tr '"C:\Users\Admin\AppData\Local\Temp\cicj.exe"' & exit
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3212
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /f /sc onlogon /rl highest /tn "cicj" /tr '"C:\Users\Admin\AppData\Local\Temp\cicj.exe"'
                7⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:1320
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC071.tmp.bat""
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4372
              • C:\Windows\SysWOW64\timeout.exe
                timeout 3
                7⤵
                • System Location Discovery: System Language Discovery
                • Delays execution with timeout.exe
                PID:1668
              • C:\Users\Admin\AppData\Local\Temp\cicj.exe
                "C:\Users\Admin\AppData\Local\Temp\cicj.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1716
                • C:\Users\Admin\AppData\Local\Temp\cicj.exe
                  C:\Users\Admin\AppData\Local\Temp\cicj.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2092
                • C:\Users\Admin\AppData\Local\Temp\cicj.exe
                  C:\Users\Admin\AppData\Local\Temp\cicj.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4636
          • C:\Users\Admin\AppData\Roaming\sdrtzd.exe
            C:\Users\Admin\AppData\Roaming\sdrtzd.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:1736

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sdrtzd.exe.log
    Filesize

    522B

    MD5

    0f39d6b9afc039d81ff31f65cbf76826

    SHA1

    8356d04fe7bba2695d59b6caf5c59f58f3e1a6d8

    SHA256

    ea16b63ffd431ebf658b903710b6b3a9b8a2eb6814eee3a53b707a342780315d

    SHA512

    5bad54adb2e32717ef6275f49e2f101dd7e2011c9be14a32e5c29051e8a3f608cbd0b44ac4855ab21e790cb7a5d84c5f69de087074fd01b35259d34d07f5aaf9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpC071.tmp.bat
    Filesize

    151B

    MD5

    268b873e1e741d9008cf889560718d35

    SHA1

    47ca9acc06900f2ebba4cbeccf4b0f9eabade74f

    SHA256

    4788481781e0d414caae31a6ea841eed682b7223810584488b3809180a56c463

    SHA512

    fa81d1302281a909d1c475d27df9f122f5d93304f32b32fed768388511f4aa6ca237bde8ba1548d2466b8bc1dc9525ae0d078a1b1ed3539d6ddea4cbb59c46ed

    Download Submit

  • C:\Users\Admin\AppData\Roaming\mysfgdf.bat
    Filesize

    18KB

    MD5

    e83dce8f5ff19e5d91133d8aa56923e2

    SHA1

    2c6da0d9a725a91fc7c923bc28f338478c005c54

    SHA256

    5817f59483cbfcab8953c27cca9c7361c62156a400fa3b6a53cc0e4e48d56baa

    SHA512

    0ba193edb692b0abaea08b04c1a5fc2ad83147ad6826aa27e6f13da6b06cbcffd02c7a38b96418e92e4a6ad4800e450ceab913dc610e67829add24265dbd17de

    Download Submit

  • C:\Users\Admin\AppData\Roaming\sdrtzd.exe
    Filesize

    147KB

    MD5

    6ad10623e928ad847f7bca5338faff18

    SHA1

    8a7f0ace9c3ec30d76493647e10cf42dbb159d56

    SHA256

    d2d91a8de88407eb1e804adc1c6528fdec8d8df0c4bb0f11ea90cafb730efdcb

    SHA512

    a4afa9283e738a2acedb3af6d136077fd3f005a57e250d5d11c980398a9f42694842fcc06700cde316e5c36d63b90d2f694fed94d9281d6025b3673735efe6c1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\sdrtzd.sfx.exe
    Filesize

    368KB

    MD5

    9a5cb8527fdf6f91ca49598053121791

    SHA1

    52a8ace49ef55939381c88a0c31c8ffe8df1deff

    SHA256

    86faa786a6db1b2236096963e7219ca0bba54278e47256e586a24077f137c1bc

    SHA512

    77a52f25a5d3456eed654c91cda2d3fee6acd58564cbbf0fdecc7f33db9c93da829618bda766b633c5ab45c3cf6e3c7ad45a3e611444a2d77d785f0c5bbe29e4

    Download Submit

  • memory/552-22-0x0000000000230000-0x000000000025A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/552-23-0x0000000004C50000-0x0000000004CEC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2520-24-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download