Overview

overview

10

Static

static

3

new.rar

windows7-x64

1

new.rar

windows10-2004-x64

1

Drivers.Bu...an.log

windows7-x64

1

Drivers.Bu...an.log

windows10-2004-x64

1

Drivers.exe

windows7-x64

10

Drivers.exe

windows10-2004-x64

10

Drivers.exe.recipe

windows7-x64

3

Drivers.exe.recipe

windows10-2004-x64

3

Drivers.iobj

windows7-x64

3

Drivers.iobj

windows10-2004-x64

3

Drivers.ipdb

windows7-x64

3

Drivers.ipdb

windows10-2004-x64

3

Drivers.log

windows7-x64

1

Drivers.log

windows10-2004-x64

1

Drivers.obj

windows7-x64

3

Drivers.obj

windows10-2004-x64

3

Drivers.pdb

windows7-x64

3

Drivers.pdb

windows10-2004-x64

3

Drivers.tl...1.tlog

windows7-x64

3

Drivers.tl...1.tlog

windows10-2004-x64

3

Drivers.tl...1.tlog

windows7-x64

3

Drivers.tl...1.tlog

windows10-2004-x64

3

Drivers.tl...1.tlog

windows7-x64

3

Drivers.tl...1.tlog

windows10-2004-x64

3

Drivers.tl...s.tlog

windows7-x64

3

Drivers.tl...s.tlog

windows10-2004-x64

3

Drivers.tl...dstate

windows7-x64

3

Drivers.tl...dstate

windows10-2004-x64

3

Drivers.tl...1.tlog

windows7-x64

3

Drivers.tl...1.tlog

windows10-2004-x64

3

Drivers.tl...1.tlog

windows7-x64

3

Drivers.tl...1.tlog

windows10-2004-x64

3

Resubmissions

13/01/2025, 00:07

250113-aet59aymcl 3

11/01/2025, 23:31

250111-3h1resxjcl 10

11/01/2025, 23:29

250111-3g1p2awrgr 10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/01/2025, 23:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Drivers.exe

  • Size

    21KB

  • MD5

    3dbe554d99db5921c2869df9745b32be

  • SHA1

    ec61ad96e9848de6e55121c8acd8be6221cc204b

  • SHA256

    70b2d5ddb11d58b8a53d0fdc74259241057812e4dfc21a03b937a320e290d822

  • SHA512

    6e752d09c1c214bd73f5295eb6ff65eb324d123a57de4ae5516b972f9ec3208e962aca9089f9ef6b91ca3c9394d5c6fd68e806012e9b4aff3f9277b3ee8cd6cc

  • SSDEEP

    384:vTRQmNZSqP8MyoXKQmXNQltXpQyXlQx/uoOQtGQmXE9RrA5iXNjd2Ht5rkFJ0Wqx:WlOq2tzclrldjdKkFJCVA3g

Score
10/10
asyncratdefaultdiscoveryevasionrattrojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

136.243.175.182:7777

Mutex

9HD6aMtS9FtK

Attributes
  • delay

    3

  • install

    true

  • install_file

    Runtime Broker.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Async RAT payload 1 IoCs
    rat
  • Disables Task Manager via registry modification
    evasion
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Drivers.exe
    "C:\Users\Admin\AppData\Local\Temp\Drivers.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4808
    • C:\Users\Admin\AppData\Roaming\Main.exe
      "C:\Users\Admin\AppData\Roaming\Main.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4760
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Runtime Broker" /tr '"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"' & exit
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2940
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "Runtime Broker" /tr '"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"'
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:760
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp97EA.tmp.bat""
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2648
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:816
        • C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
          "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:3472

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp97EA.tmp.bat
    Filesize

    158B

    MD5

    e7c3b7310da6a7eb8d1f48294fc988e0

    SHA1

    10f89622d8afe629517f158e2b320e0bf68e3bee

    SHA256

    12338df34ff2b00867953975f634212e0ac37aafdc6f49b14bb497bb3fc481d8

    SHA512

    f6629ae8ce48ab4558b12ffbbe9e848a8380d88dfeb44e6bcdbe099b51c65d4a2d0aa9dc7c570f7f398e1014c7d04ad1f87368771ca11e4f8a71bface58ed9e1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Main.exe
    Filesize

    45KB

    MD5

    3c1178d8a8669ab6be6cd9f7e0cbe003

    SHA1

    50899c700563e6e43a81ede481caa69c1e58eb39

    SHA256

    901f4d6b37e9e2d2e17f082579d014a28d362711f3c90a0ca6537fb9412cd6ab

    SHA512

    371c329eebda4d44d816a86a59e281e834c57713b2b5dea4ece025735874024487892c5a422a7857eecf0797b0ffe2dcb166edc4c874c487845550cb195a1d0b

    Download Submit

  • memory/3472-37-0x0000000005EF0000-0x0000000006494000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3472-38-0x0000000005580000-0x00000000055E6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3472-39-0x0000000005470000-0x00000000054E6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3472-40-0x00000000053F0000-0x0000000005454000-memory.dmp

    Filesize

    400KB

    Download

  • memory/3472-41-0x0000000005C80000-0x0000000005C9E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4760-22-0x000000007536E000-0x000000007536F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4760-23-0x0000000000E80000-0x0000000000E92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4760-24-0x0000000075360000-0x0000000075B10000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4760-25-0x00000000058A0000-0x000000000593C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4760-30-0x0000000075360000-0x0000000075B10000-memory.dmp

    Filesize

    7.7MB

    Download