Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
20/01/2025, 08:22
General
-
Target
PetSim99GUI.exe
-
Size
48KB
-
MD5
f5fa1fb705307bd25ca0d0408b8d6684
-
SHA1
31dffff48303612d94d4c10083ade7c6b3b777a3
-
SHA256
1659db1c128cc72c1d5db8ec73a93cc89cc684f00a4c2b83b76fef32af45fe07
-
SHA512
a2803bf7b0662893c1bbc5f2bf876690e57fbf611225cfd968cd04d9c3a005b3d71b27e2df8003ddfa2fcf353691957ea27b119dad88073f8adc9d5114abd246
-
SSDEEP
768:OugvNTjgkH7F7WUHF9pmo2q7cJ/IP8Xjog1VPI0HgmP0i0bc64EU7XoEFmSwBqRb:OugvNTcIb2te3gE0H6dbcjE+z5vdzH
Malware Config
Extracted
asyncrat
0.5.8
Default
letsgetdigging.hopto.org:6606
gwp6EO1O6Isj
-
delay
3
-
install
true
-
install_file
PS99.exe
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Async RAT payload 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Delays execution with timeout.exe 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\PetSim99GUI.exe"C:\Users\Admin\AppData\Local\Temp\PetSim99GUI.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "PS99" /tr '"C:\Users\Admin\AppData\Roaming\PS99.exe"' & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "PS99" /tr '"C:\Users\Admin\AppData\Roaming\PS99.exe"'3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp395D.tmp.bat""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\PS99.exe"C:\Users\Admin\AppData\Roaming\PS99.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148B
MD517a1c8f8657670121327cc19ccad1868
SHA13bcec43d98dfc0bf4e4800468fb1aed7b1f9d364
SHA25621d4ebd979419dbe8e32b9b8f3c325671cc1342d67fc7a3dc462d5fccf5cdebf
SHA512236d53f1d1d0c21831359f250ffc97fd784896f5d5cd3772a73fc1d1dfcf3dbd7477af1a9ecf23920438bbbcad1c8b91d107912168720304008b55b3b3a33487
-
Filesize
48KB
MD5f5fa1fb705307bd25ca0d0408b8d6684
SHA131dffff48303612d94d4c10083ade7c6b3b777a3
SHA2561659db1c128cc72c1d5db8ec73a93cc89cc684f00a4c2b83b76fef32af45fe07
SHA512a2803bf7b0662893c1bbc5f2bf876690e57fbf611225cfd968cd04d9c3a005b3d71b27e2df8003ddfa2fcf353691957ea27b119dad88073f8adc9d5114abd246
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
624KB
-
Filesize
7.7MB