Overview

overview

10

Static

static

3

Drivers.exe

windows10-2004-x64

10

Drivers.exe

windows10-ltsc 2021-x64

10

Resubmissions

13-01-2025 00:07

250113-aet59aymcl 3

11-01-2025 23:31

250111-3h1resxjcl 10

11-01-2025 23:29

250111-3g1p2awrgr 10

Analysis

  • max time kernel
    100s
  • max time network
    141s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    11-01-2025 23:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Drivers.exe

  • Size

    21KB

  • MD5

    3dbe554d99db5921c2869df9745b32be

  • SHA1

    ec61ad96e9848de6e55121c8acd8be6221cc204b

  • SHA256

    70b2d5ddb11d58b8a53d0fdc74259241057812e4dfc21a03b937a320e290d822

  • SHA512

    6e752d09c1c214bd73f5295eb6ff65eb324d123a57de4ae5516b972f9ec3208e962aca9089f9ef6b91ca3c9394d5c6fd68e806012e9b4aff3f9277b3ee8cd6cc

  • SSDEEP

    384:vTRQmNZSqP8MyoXKQmXNQltXpQyXlQx/uoOQtGQmXE9RrA5iXNjd2Ht5rkFJ0Wqx:WlOq2tzclrldjdKkFJCVA3g

Score
10/10
asyncratdefaultdiscoveryevasionrattrojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

136.243.175.182:7777

Mutex

9HD6aMtS9FtK

Attributes
  • delay

    3

  • install

    true

  • install_file

    Runtime Broker.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Async RAT payload 1 IoCs
    rat
  • Disables Task Manager via registry modification
    evasion
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Drivers.exe
    "C:\Users\Admin\AppData\Local\Temp\Drivers.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:692
    • C:\Users\Admin\AppData\Roaming\Main.exe
      "C:\Users\Admin\AppData\Roaming\Main.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:112
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Runtime Broker" /tr '"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"' & exit
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1100
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "Runtime Broker" /tr '"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"'
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2020
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8879.tmp.bat""
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1984
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:2440
        • C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
          "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:3872

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp8879.tmp.bat
    Filesize

    158B

    MD5

    e7d359c432e2e81676042ba7791f82a0

    SHA1

    1fa57c890ecdf6e9adabba86df21106ff13ec1c7

    SHA256

    5e21f6c835af3688a07b14343a74609155d4234820abbd1595f393e8ad58b209

    SHA512

    0aa8f0f0fac5a3b0c08c09140787856d34326a144167181dc9413419d6d5e97021214098f6ff3372429f87131eb421e4c538e00391295b1aa5eccfed405e7b4f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Main.exe
    Filesize

    45KB

    MD5

    3c1178d8a8669ab6be6cd9f7e0cbe003

    SHA1

    50899c700563e6e43a81ede481caa69c1e58eb39

    SHA256

    901f4d6b37e9e2d2e17f082579d014a28d362711f3c90a0ca6537fb9412cd6ab

    SHA512

    371c329eebda4d44d816a86a59e281e834c57713b2b5dea4ece025735874024487892c5a422a7857eecf0797b0ffe2dcb166edc4c874c487845550cb195a1d0b

    Download Submit

  • memory/112-25-0x0000000074A9E000-0x0000000074A9F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/112-26-0x0000000000DB0000-0x0000000000DC2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/112-27-0x0000000074A90000-0x0000000075241000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/112-28-0x0000000005630000-0x00000000056CC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/112-33-0x0000000074A90000-0x0000000075241000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3872-40-0x00000000061B0000-0x0000000006756000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3872-41-0x0000000005CD0000-0x0000000005D36000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3872-42-0x0000000006C20000-0x0000000006C96000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3872-43-0x0000000006BA0000-0x0000000006C04000-memory.dmp

    Filesize

    400KB

    Download

  • memory/3872-44-0x0000000006CD0000-0x0000000006CEE000-memory.dmp

    Filesize

    120KB

    Download