Overview

overview

10

Static

static

3

Order Deli...25.exe

windows7-x64

10

Order Deli...25.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-01-2025 02:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Order Delivery- 1.6.2025.exe

  • Size

    634KB

  • MD5

    638945b4208abc0bc7126657454a4e03

  • SHA1

    8dc353e3834325e94f3bcf1c28d0763af5183336

  • SHA256

    0265bce453d46f747901b0cc32367afc17ca79c5ab05d55b66ed58c99680fc95

  • SHA512

    382b9ecd098154fc638870b901d54c659c02e3c2c92ea90bfa82080052e2c7095b76315cf3f63250d9bfdaeb4d1356123beac069553f37a845cd42296b5b3509

  • SSDEEP

    12288:VcrNS33L10QdrXPdlM/nQPe6cS1RBEp2LBoK:INA3R5drXPU/QPp71RB62LaK

Score
10/10
asyncratdefault01discoveryrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default01

C2

93.123.109.235:8747

93.123.109.235:7477

woolingbrin.systes.net:8747

woolingbrin.systes.net:7477
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    cicj.exe

  • install_folder

    %Temp%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Order Delivery- 1.6.2025.exe
    "C:\Users\Admin\AppData\Local\Temp\Order Delivery- 1.6.2025.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2940
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\nysfgdf.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:892
      • C:\Users\Admin\AppData\Roaming\axfhtgf.sfx.exe
        axfhtgf.sfx.exe -prhtnjhmyopeafupbodcsyRgeyhrntdestyuhngfszhvqxsdfHbgnmeK -dC:\Users\Admin\AppData\Roaming
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4112
        • C:\Users\Admin\AppData\Roaming\axfhtgf.exe
          "C:\Users\Admin\AppData\Roaming\axfhtgf.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3992
          • C:\Users\Admin\AppData\Roaming\axfhtgf.exe
            C:\Users\Admin\AppData\Roaming\axfhtgf.exe
            5⤵
            • Executes dropped EXE
            PID:3404
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 80
              6⤵
              • Program crash
              PID:3000
          • C:\Users\Admin\AppData\Roaming\axfhtgf.exe
            C:\Users\Admin\AppData\Roaming\axfhtgf.exe
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1220
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "cicj" /tr '"C:\Users\Admin\AppData\Local\Temp\cicj.exe"' & exit
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1180
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /f /sc onlogon /rl highest /tn "cicj" /tr '"C:\Users\Admin\AppData\Local\Temp\cicj.exe"'
                7⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:1528
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9E53.tmp.bat""
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4512
              • C:\Windows\SysWOW64\timeout.exe
                timeout 3
                7⤵
                • System Location Discovery: System Language Discovery
                • Delays execution with timeout.exe
                PID:2360
              • C:\Users\Admin\AppData\Local\Temp\cicj.exe
                "C:\Users\Admin\AppData\Local\Temp\cicj.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4696
                • C:\Users\Admin\AppData\Local\Temp\cicj.exe
                  C:\Users\Admin\AppData\Local\Temp\cicj.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1408
                • C:\Users\Admin\AppData\Local\Temp\cicj.exe
                  C:\Users\Admin\AppData\Local\Temp\cicj.exe
                  8⤵
                  • Executes dropped EXE
                  PID:4392
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 80
                    9⤵
                    • Program crash
                    PID:4720
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3404 -ip 3404
    1⤵
      PID:3956
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4392 -ip 4392
      1⤵
        PID:2708

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\axfhtgf.exe.log
        Filesize

        522B

        MD5

        0f39d6b9afc039d81ff31f65cbf76826

        SHA1

        8356d04fe7bba2695d59b6caf5c59f58f3e1a6d8

        SHA256

        ea16b63ffd431ebf658b903710b6b3a9b8a2eb6814eee3a53b707a342780315d

        SHA512

        5bad54adb2e32717ef6275f49e2f101dd7e2011c9be14a32e5c29051e8a3f608cbd0b44ac4855ab21e790cb7a5d84c5f69de087074fd01b35259d34d07f5aaf9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp9E53.tmp.bat
        Filesize

        151B

        MD5

        9cd016676210c135adf68f265594e79d

        SHA1

        070362e528a2e8a76ca09e8b002ba78577df3ae4

        SHA256

        3edd165ab7928f7e464a280c7f412eff184cf9b22c9e9e498a4f47da7408cdba

        SHA512

        04dd4205e8d44165b5bc201a999413a8231f5e1e14777b2f95281c704d3809808b98f5fde6b022490bb25343a4a78eca9a2d95af53ed48c973ebe4872ae62e61

        Download Submit

      • C:\Users\Admin\AppData\Roaming\axfhtgf.exe
        Filesize

        147KB

        MD5

        2d735caa3720bb94c102340c5c2b5844

        SHA1

        267ac23abccfdffc79608f35ffbc7bdce0c39e1b

        SHA256

        3767ac304f6a9a66ebe0a613957db07e61e1becf3e797ff33c98858a90f69f9c

        SHA512

        2b5aef84fc79f366bdb535c4aa69a91d187e0cb0099950ae18d71acd02602473b95148dde6fa29c7927e7d74c9f0586055240dc58dedf63c8fcaa8eeaf1e1a94

        Download Submit

      • C:\Users\Admin\AppData\Roaming\axfhtgf.sfx.exe
        Filesize

        378KB

        MD5

        285c5a2ee7f7e2f8899a10c020bad34f

        SHA1

        80a741e71d3e39b604ad4c7fe683280d5d59f650

        SHA256

        41784ae5b08ebe9845fd1b5a2d0acf6a106af1e9b831e4cc90882fb21ba8e471

        SHA512

        1e749fb5865d4a0cafbcdbc38396783a07b90c85d937b841f0edd5137f9bafca20bd6dc0d16edd1b1a044b7b09b212b7c3b3e103afb22a2f472383e131de4bd3

        Download Submit

      • C:\Users\Admin\AppData\Roaming\nysfgdf.bat
        Filesize

        18KB

        MD5

        c327f015421ac450f45c71d9ba6c484d

        SHA1

        ebbb869db3400e24bb4db7dfe0d9a02a362506a5

        SHA256

        b6d496034ed43d0873a77e92ba6d67a8e21e10e7b4a39c7b573129fe148ac656

        SHA512

        de29eec672f70ee5a5996f63ea1edfcc38eb9002278a1bba3efa442c42fe291509c7351c1da4f8d12b4974dd7aa343d4c714e0ac3b985a525acae6b9af0d6c22

        Download Submit

      • memory/1220-26-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3992-22-0x0000000000F80000-0x0000000000FAA000-memory.dmp

        Filesize

        168KB

        Download

      • memory/3992-23-0x00000000058D0000-0x000000000596C000-memory.dmp

        Filesize

        624KB

        Download