Analysis
-
max time kernel
274s -
max time network
293s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
21/01/2025, 11:47
General
-
Target
8a2abab20bf75ac19eaa73be3b09219d.exe
-
Size
455KB
-
MD5
8a2abab20bf75ac19eaa73be3b09219d
-
SHA1
c0fa652bb151644bf76b55f3c9d68cb5e8d7faf3
-
SHA256
866ac65940057d6e1a125eda23a12d6743d75e6ff3a74ff6d53debb3fe90a368
-
SHA512
e8842b9f47a5dce906ddca3dfbb608eba660c80364ed0b02b48c33e161df3e95226d713177733e7591cc7eccecb3f48e1a731576a90d6fbda194de98de5495c9
-
SSDEEP
12288:gPn4HHOqpc/Xzm9HtpiuJZoEMkEbSvxJxhF3eggJG:gPn6pc/WHtplJCDkE2/PNz
Malware Config
Extracted
asyncrat
0.5.7B
Default
sbmsbm20.duckdns.org:2020
sbmsbm20.duckdns.org:3040
sbmsbm20.duckdns.org:4040
hpdndbnb.duckdns.org:2020
hpdndbnb.duckdns.org:3040
hpdndbnb.duckdns.org:4040
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
Acrobat Reader.exe
-
install_folder
%Temp%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Detected Nirsoft tools 1 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
Stops running service(s) 4 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Drops file in System32 directory 3 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
HTTP links in PDF interactive object 1 IoCs
Detects HTTP links in interactive objects within PDF files.
-
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Access Token Manipulation: Create Process with Token 1 TTPs 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 47 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of WriteProcessMemory 43 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a2abab20bf75ac19eaa73be3b09219d.exeC:\Users\Admin\AppData\Local\Temp\8a2abab20bf75ac19eaa73be3b09219d.exe sh $MOZILLA\nPLUGIN %SIGILL% "SIGTERM|DESTROY|SIGKILL"1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Access Token Manipulation: Create Process with Token
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" stop WinDefend3⤵
- Launches sc.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Access Token Manipulation: Create Process with Token
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\8a2abab20bf75ac19eaa73be3b09219d.exeC:\Users\Admin\AppData\Local\Temp\8a2abab20bf75ac19eaa73be3b09219d.exe2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Acrobat Reader" /tr '"C:\Users\Admin\AppData\Local\Temp\Acrobat Reader.exe"' & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Acrobat Reader" /tr '"C:\Users\Admin\AppData\Local\Temp\Acrobat Reader.exe"'4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA4F5.tmp.bat""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Local\Temp\Acrobat Reader.exe"C:\Users\Admin\AppData\Local\Temp\Acrobat Reader.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run5⤵
- Executes dropped EXE
- Access Token Manipulation: Create Process with Token
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" stop WinDefend6⤵
- Launches sc.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run5⤵
- Executes dropped EXE
- Access Token Manipulation: Create Process with Token
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\Acrobat Reader.exe"C:\Users\Admin\AppData\Local\Temp\Acrobat Reader.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Access Token Manipulation
1Create Process with Token
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Access Token Manipulation
1Create Process with Token
1Impair Defenses
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b5291f3dcf2c13784e09a057f2e43d13
SHA1fbb72f4b04269e0d35b1d9c29d02d63dbc7ad07e
SHA256ad995b51344d71019f96fc3a424de00256065daad8595ff599f6849c87ae75ce
SHA51211c89caac425bccaa24e2bb24c6f2b4e6d6863278bf8a5304a42bb44475b08ca586e09143e7d5b14db7f1cd9adacd5358769e0d999dc348073431031067bd4d4
-
Filesize
455KB
MD58a2abab20bf75ac19eaa73be3b09219d
SHA1c0fa652bb151644bf76b55f3c9d68cb5e8d7faf3
SHA256866ac65940057d6e1a125eda23a12d6743d75e6ff3a74ff6d53debb3fe90a368
SHA512e8842b9f47a5dce906ddca3dfbb608eba660c80364ed0b02b48c33e161df3e95226d713177733e7591cc7eccecb3f48e1a731576a90d6fbda194de98de5495c9
-
Filesize
88KB
MD517fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
Filesize
161B
MD5f929c1920c08511b5f8aac4199434ead
SHA157983052ed9738c0bc7afeee6f0dd074ec19c20d
SHA256b518cd9ecaf65e3bb6c39d0fe0ffda3d9e248166aed1463d0ecf6c752a5ae985
SHA5128b1bc972563cedd1e2e4197e5831417ffe65f3500542f17e512c1625c3dca8696475fd851b214bed8dbd5e8edb51a2d4be6b5ffba6c9eec9cae18a54ccd69168
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
1KB
MD538f0f14cc7ca72ad51216866e66efb4e
SHA134ed0f47a4aaa95e786ca9f125b0341b38bfb9be
SHA256668820fc659c9d229d32731ead41381eca0e5fb57232bbd3ef0118f5a21fc501
SHA5124a7d00c585784cf1aec6ed82d8c78542d2db3b9da30d8db20680a1ee9fd45b697207fbd459557336f2166d8b6ac17016f9e71c61ad351f2915bb163c8ed2b73a
-
Filesize
624KB
-
Filesize
96KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
4KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
440KB
-
Filesize
120KB
-
Filesize
472KB
-
Filesize
288KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
464KB