Overview

overview

10

Static

static

10

winjs.exe

windows11-21h2-x64

10

winjs.exe

windows7-x64

10

winjs.exe

windows10-2004-x64

10

winjs.exe

windows10-ltsc 2021-x64

10

winjs.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    80s
  • max time network
    82s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    30/01/2025, 12:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    winjs.exe

  • Size

    52KB

  • MD5

    623a97bc746f3b530b9f2cb2df7e9145

  • SHA1

    1c03bf8e9db2120a1473c9c6924059e75639fa1c

  • SHA256

    fe0f056142303bda8538355d81aced08b4792c9787c6060ccad08442e0dacad0

  • SHA512

    c0b89b096704a2727bf0242b2d20ed563980e51c4535cac98a9a34d84e89289bda87e3763bedb615f04f72d18a502f48b8ad5276c9e8dc4d1373e1a0bd47ff52

  • SSDEEP

    768:YoGDMmILyCe++bidiEuiso8Ybwge9V2COvEgK/Jn2i++++tyVc6KN:Yo0MWSMEzb3mOnkJLyVclN

Score
10/10
asyncratpowershellrat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

PowerShell

Mutex

DCSSZZVV

Attributes
  • delay

    1

  • install

    true

  • install_file

    winws.exe

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/cn4rM5C9

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Modifies registry class 5 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\winjs.exe
    "C:\Users\Admin\AppData\Local\Temp\winjs.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:560
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "winws" /tr '"C:\Users\Admin\AppData\Roaming\winws.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3740
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "winws" /tr '"C:\Users\Admin\AppData\Roaming\winws.exe"'
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3320
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp95E7.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4216
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:3324
      • C:\Users\Admin\AppData\Roaming\winws.exe
        "C:\Users\Admin\AppData\Roaming\winws.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4240
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1452
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1276
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1892 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ed22627-53fe-4ef9-a4e5-58647d498f03} 1276 "\\.\pipe\gecko-crash-server-pipe.1276" gpu
        3⤵
          PID:392
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2388 -parentBuildID 20240401114208 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3dec60d0-ebbb-4b81-8ed1-945bf653b140} 1276 "\\.\pipe\gecko-crash-server-pipe.1276" socket
          3⤵
          • Checks processor information in registry
          PID:4032
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3256 -childID 1 -isForBrowser -prefsHandle 3248 -prefMapHandle 3244 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {17dbb9f7-ba66-44f7-a742-f0b9dbe87dbb} 1276 "\\.\pipe\gecko-crash-server-pipe.1276" tab
          3⤵
            PID:1892
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1680 -childID 2 -isForBrowser -prefsHandle 3144 -prefMapHandle 1672 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dbf99b59-abff-48de-8c89-d3c5818fba89} 1276 "\\.\pipe\gecko-crash-server-pipe.1276" tab
            3⤵
              PID:2028
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4868 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4780 -prefMapHandle 4848 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d6984a9-9cf8-4e68-9393-b3f67a8de3a9} 1276 "\\.\pipe\gecko-crash-server-pipe.1276" utility
              3⤵
              • Checks processor information in registry
              PID:1104
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5356 -childID 3 -isForBrowser -prefsHandle 5332 -prefMapHandle 3584 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {70edb4df-3616-4478-8ff9-539c448385bb} 1276 "\\.\pipe\gecko-crash-server-pipe.1276" tab
              3⤵
                PID:5572
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5364 -childID 4 -isForBrowser -prefsHandle 5496 -prefMapHandle 5500 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de446fa0-ed49-48ac-8804-96aed6fbf84b} 1276 "\\.\pipe\gecko-crash-server-pipe.1276" tab
                3⤵
                  PID:5584
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5772 -childID 5 -isForBrowser -prefsHandle 5696 -prefMapHandle 5700 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9dfd4a07-c5a3-4587-98ae-8dfb32d2221e} 1276 "\\.\pipe\gecko-crash-server-pipe.1276" tab
                  3⤵
                    PID:5616
              • C:\Windows\system32\BackgroundTransferHost.exe
                "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
                1⤵
                • Modifies registry class
                PID:6080
              • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
                "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
                1⤵
                • Modifies registry class
                • Suspicious use of SetWindowsHookEx
                PID:6132

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dfn8djy7.default-release\activity-stream.discovery_stream.json
                Filesize

                22KB

                MD5

                00ebf447eae80700e6193e62d71b7ae0

                SHA1

                527cd2d19c5cafae68dd2fbed3cb431ff81ea0a3

                SHA256

                01fa71b215c906cc598d4b6beeb50353ac23f8864fef926c88cdc5787c0ccc44

                SHA512

                4456865bfd20d91b435ea2188e3875c84044a2b5b351a054f2dff1bfda2ab403abe893b28cad3e72cc0950805d52b92a69e638e67fc6b0a01b0148ada972212f

                Download Submit

              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dfn8djy7.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
                Filesize

                15KB

                MD5

                96c542dec016d9ec1ecc4dddfcbaac66

                SHA1

                6199f7648bb744efa58acf7b96fee85d938389e4

                SHA256

                7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

                SHA512

                cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

                Download Submit

              • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
                Filesize

                10KB

                MD5

                eed640164203d0d0a2a1e7919a6fdbdf

                SHA1

                9af74121e090cf2970beee82d22ef4ebb886c0ae

                SHA256

                4ca7fe712b4322fdb497733e015f4ae4496d3998772a6c37305da3cbba3eb7ae

                SHA512

                1bf6de193ae00189525ea9a685bbe3dc7722eceb6ccfb83c70adc766b6301b4978abf73b2f8f41b865f1521925308e4f96285dca569e9c2b2c61e79db1100e3d

                Download Submit

              • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
                Filesize

                10KB

                MD5

                069c37bf9e39b121efb7a28ece933aee

                SHA1

                eaef2e55b66e543a14a6780c23bb83fe60f2f04d

                SHA256

                485db8db6b497d31d428aceea416da20d88f7bde88dbfd6d59e3e7eee0a75ae8

                SHA512

                f4562071143c2ebc259a20cbb45b133c863f127a5750672b7a2af47783c7cdc56dcf1064ae83f54e5fc0bb4e93826bf2ab4ef6e604f955bf594f2cbd641db796

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\tmp95E7.tmp.bat
                Filesize

                149B

                MD5

                1013da2110a7544cfc5ba75762a56a8b

                SHA1

                9446486c47a99c2dd7c7dfacd19eab70099d9a8f

                SHA256

                aca590cc9a5c89e671f7a913d11fc2cc0aa109887d12eed819c363dd3882d116

                SHA512

                0a753e6facd78fe8f010c58cd5d02caa43b0d67131df5b30c77c9f92bb024d0429573c0ebafd7127042ea17e547f604bbde1847f2d3478599ddfc2b585216955

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\db\data.safe.tmp
                Filesize

                5KB

                MD5

                d44e4316f96273d15ab96746afd30198

                SHA1

                8075e6c9d80b18ec6f83da302819098e4c6a8782

                SHA256

                2716872ecc4bd39203368aff2858314b022aa365ae734bbda7ef3f1e75c365d6

                SHA512

                5c01aa81b8747f84dbe82cd9250f0810021fb4493651d708e6442bfd3db7a3089489f3dcca6bf2f99445e760ade7b6956e0473808d42b2a6dd4fe40de34debdc

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\db\data.safe.tmp
                Filesize

                5KB

                MD5

                60695a48269a90bed5fb210cbbe50864

                SHA1

                dc0fa3b6359d70529d1417c2a324c63fe3ba1466

                SHA256

                c3f4cceb23c8dec3902d64569974a8cfad522e339ccebc5e84015fcaf70456ca

                SHA512

                d70ddbc2fed641cf8cc124dcba2ff90c70c5f2c73b8339ee2a7e833fd3090b50ae65983d864c9d40d2b3bf454819d9997d75ea4cb23bd51f0bb7a7613b49005e

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\db\data.safe.tmp
                Filesize

                7KB

                MD5

                7d75d7831d49f4c7a476e5e42a045c8b

                SHA1

                090ede443c38e7dd6d358d9611ddd836f4797880

                SHA256

                c2b574d7a92099c186146079341939625f1cc7a494b481c2018feab9a22f89ef

                SHA512

                27ff7660f71917af1608bed9acc4f7e2026b1cf49a0cb7145cf88d4b470ee5f1011d0d30d23db6b6ddbd9f40d52edf266690ca8aa54527f8b45407f438664479

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\pending_pings\31d2994a-7c0b-4613-824c-33ddc6e6d310
                Filesize

                671B

                MD5

                f80e44cf9e9e7b67053032bdb92dee6d

                SHA1

                7b732a2bf180215807104d7585bc3676c79f2c59

                SHA256

                a59885ad5d7d20c6a6b7a9a331ec4a01aac881a345d67f86e54d762fd7817803

                SHA512

                52d5fde7759cd30fa03192185923572d76ebf8d26e7ee6827ccf3438fa923994f5aa4316da0047606ea5c57f89d9bbb622dec47ab827cba8ef08a82744ecd386

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\pending_pings\704b7aca-3897-43d4-a080-2b19475b846c
                Filesize

                982B

                MD5

                0896771766c12422cc6eff8d061e457d

                SHA1

                35c47b6b01119c87baff44801abdaed3c4709892

                SHA256

                88b736e4297d20e0e42f4feeba852c2d12282af3b232f4339ae0f7a9440a44a6

                SHA512

                f8ab8380e36eebcb0e54e7fa2114ba6994d5902624481d64831dce94578a07ac91acb0b68cc3318a9aea9418fa26578e06577d93f5429a7266cd6524b3680d98

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\pending_pings\fb726a52-fee7-4d18-bf1a-33a66db92208
                Filesize

                25KB

                MD5

                7ba0471a4b557458aa9c14b0c4f0f9bb

                SHA1

                5b96effa1c4708923301fc59c40886942ca4ebc9

                SHA256

                919d1cc09511170908534f9043d0b893cc4fe5db657c3c997ea3a1841f7d6064

                SHA512

                0b5fac5bf3d64eb27614585c8a8a5b0f173b032b3498b03d8051e4cfce5c0ba4afae6e7f1af87ac570f2a1f9f17f53aab82ebeb6279ffdd56a029a24a5e5e8b8

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\prefs-1.js
                Filesize

                9KB

                MD5

                545e6573dfaff191e3e6e6441b8231fc

                SHA1

                f0bd4de998464b5665152c6a71a637ec480b0ca3

                SHA256

                84c2539f782e8d8233aa1a02b1ef7be8638f614c5e74b39d33809dad7992a89e

                SHA512

                6077d4ab027119ad2860ef97c9f18d56c7c3cc0aaee36b17c228ba036d217c902068b0ab61fdb18961c1bb7b956f37c04f57591f4bc66fffb591ef4222f8a140

                Download Submit

              • C:\Users\Admin\AppData\Roaming\winws.exe
                Filesize

                52KB

                MD5

                623a97bc746f3b530b9f2cb2df7e9145

                SHA1

                1c03bf8e9db2120a1473c9c6924059e75639fa1c

                SHA256

                fe0f056142303bda8538355d81aced08b4792c9787c6060ccad08442e0dacad0

                SHA512

                c0b89b096704a2727bf0242b2d20ed563980e51c4535cac98a9a34d84e89289bda87e3763bedb615f04f72d18a502f48b8ad5276c9e8dc4d1373e1a0bd47ff52

                Download Submit

              • memory/560-0-0x00007FFE9D993000-0x00007FFE9D995000-memory.dmp

                Filesize

                8KB

                Download

              • memory/560-8-0x00007FFE9D990000-0x00007FFE9E452000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/560-2-0x00007FFE9D990000-0x00007FFE9E452000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/560-1-0x00000000003B0000-0x00000000003C4000-memory.dmp

                Filesize

                80KB

                Download