Overview

overview

10

Static

static

3

Order Deli...25.exe

windows7-x64

10

Order Deli...25.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    07-01-2025 02:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Order Delivery- 1.6.2025.exe

  • Size

    634KB

  • MD5

    638945b4208abc0bc7126657454a4e03

  • SHA1

    8dc353e3834325e94f3bcf1c28d0763af5183336

  • SHA256

    0265bce453d46f747901b0cc32367afc17ca79c5ab05d55b66ed58c99680fc95

  • SHA512

    382b9ecd098154fc638870b901d54c659c02e3c2c92ea90bfa82080052e2c7095b76315cf3f63250d9bfdaeb4d1356123beac069553f37a845cd42296b5b3509

  • SSDEEP

    12288:VcrNS33L10QdrXPdlM/nQPe6cS1RBEp2LBoK:INA3R5drXPU/QPp71RB62LaK

Score
10/10
asyncratdefault01discoveryrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default01

C2

93.123.109.235:8747

93.123.109.235:7477

woolingbrin.systes.net:8747

woolingbrin.systes.net:7477
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    cicj.exe

  • install_folder

    %Temp%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 10 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Order Delivery- 1.6.2025.exe
    "C:\Users\Admin\AppData\Local\Temp\Order Delivery- 1.6.2025.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\nysfgdf.bat" "
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2836
      • C:\Users\Admin\AppData\Roaming\axfhtgf.sfx.exe
        axfhtgf.sfx.exe -prhtnjhmyopeafupbodcsyRgeyhrntdestyuhngfszhvqxsdfHbgnmeK -dC:\Users\Admin\AppData\Roaming
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2976
        • C:\Users\Admin\AppData\Roaming\axfhtgf.exe
          "C:\Users\Admin\AppData\Roaming\axfhtgf.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2752
          • C:\Users\Admin\AppData\Roaming\axfhtgf.exe
            C:\Users\Admin\AppData\Roaming\axfhtgf.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:268
          • C:\Users\Admin\AppData\Roaming\axfhtgf.exe
            C:\Users\Admin\AppData\Roaming\axfhtgf.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1832
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "cicj" /tr '"C:\Users\Admin\AppData\Local\Temp\cicj.exe"' & exit
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1000
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /f /sc onlogon /rl highest /tn "cicj" /tr '"C:\Users\Admin\AppData\Local\Temp\cicj.exe"'
                7⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:2008
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpAE1A.tmp.bat""
              6⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:856
              • C:\Windows\SysWOW64\timeout.exe
                timeout 3
                7⤵
                • System Location Discovery: System Language Discovery
                • Delays execution with timeout.exe
                PID:1872
              • C:\Users\Admin\AppData\Local\Temp\cicj.exe
                "C:\Users\Admin\AppData\Local\Temp\cicj.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3028
                • C:\Users\Admin\AppData\Local\Temp\cicj.exe
                  C:\Users\Admin\AppData\Local\Temp\cicj.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2996
                • C:\Users\Admin\AppData\Local\Temp\cicj.exe
                  C:\Users\Admin\AppData\Local\Temp\cicj.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:1880

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpAE1A.tmp.bat
    Filesize

    151B

    MD5

    bb33fdcfa3b6b56ab0b92def91109112

    SHA1

    3aa4e34a23e93e9971ca23f04eca3d97a3d223b3

    SHA256

    006a1153c1a21fb53d5477f73c430f8257554fe37376a99fa6c4425e9f8b2749

    SHA512

    ca0a65aaa9fea1f0c26d2efd198fd32a3bebaa389af7173ce415c1218b18a129c87872e97f1a11313c6fe781c1adabffd0872e29813f9fcaaead2bc5afb15051

    Download Submit

  • C:\Users\Admin\AppData\Roaming\axfhtgf.sfx.exe
    Filesize

    378KB

    MD5

    285c5a2ee7f7e2f8899a10c020bad34f

    SHA1

    80a741e71d3e39b604ad4c7fe683280d5d59f650

    SHA256

    41784ae5b08ebe9845fd1b5a2d0acf6a106af1e9b831e4cc90882fb21ba8e471

    SHA512

    1e749fb5865d4a0cafbcdbc38396783a07b90c85d937b841f0edd5137f9bafca20bd6dc0d16edd1b1a044b7b09b212b7c3b3e103afb22a2f472383e131de4bd3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\nysfgdf.bat
    Filesize

    18KB

    MD5

    c327f015421ac450f45c71d9ba6c484d

    SHA1

    ebbb869db3400e24bb4db7dfe0d9a02a362506a5

    SHA256

    b6d496034ed43d0873a77e92ba6d67a8e21e10e7b4a39c7b573129fe148ac656

    SHA512

    de29eec672f70ee5a5996f63ea1edfcc38eb9002278a1bba3efa442c42fe291509c7351c1da4f8d12b4974dd7aa343d4c714e0ac3b985a525acae6b9af0d6c22

    Download Submit

  • \Users\Admin\AppData\Roaming\axfhtgf.exe
    Filesize

    147KB

    MD5

    2d735caa3720bb94c102340c5c2b5844

    SHA1

    267ac23abccfdffc79608f35ffbc7bdce0c39e1b

    SHA256

    3767ac304f6a9a66ebe0a613957db07e61e1becf3e797ff33c98858a90f69f9c

    SHA512

    2b5aef84fc79f366bdb535c4aa69a91d187e0cb0099950ae18d71acd02602473b95148dde6fa29c7927e7d74c9f0586055240dc58dedf63c8fcaa8eeaf1e1a94

    Download Submit

  • memory/268-48-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/268-42-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/268-39-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2752-37-0x0000000001330000-0x000000000135A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2996-66-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2996-69-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3028-61-0x0000000001190000-0x00000000011BA000-memory.dmp

    Filesize

    168KB

    Download