Overview

overview

10

Static

static

3

Desktop.exe

windows7-x64

10

Desktop.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/02/2025, 18:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Desktop.exe

  • Size

    611KB

  • MD5

    0477439dfc65222b446ca4a31c6a5bcd

  • SHA1

    17e04cdc917891b25f0f585375e142fcc140403f

  • SHA256

    4ce4ae76ccf0787e7fdbc7841c1e9e553831533b39e50c45e35c0f243e1409c8

  • SHA512

    1f584a63ce4f3301325c81a920341de79cf3d5fe8d2f4cfffc8b086a5f1b1e2d6443bcfae9067f1a224d46c55a00be85e5e8957b7658ed965ccd27eae670024f

  • SSDEEP

    6144:Bz1eXfQ+IqV6EL8aVh3ZqK8DN/ya7cLyMO84+c4Edd47BXAFk/yDwZpLptmZMDlp:qngM8K8P4ElXddah8kyDIZDWgfMAJ

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

6.tcp.ngrok.io:17720

Attributes
  • delay

    1

  • install

    true

  • install_file

    idk.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Desktop.exe
    "C:\Users\Admin\AppData\Local\Temp\Desktop.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4992
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\infected.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\infected.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1200
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "idk" /tr '"C:\Users\Admin\AppData\Roaming\idk.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3328
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "idk" /tr '"C:\Users\Admin\AppData\Roaming\idk.exe"'
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:3140
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAF1C.tmp.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3568
        • C:\Windows\system32\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:1368
        • C:\Users\Admin\AppData\Roaming\idk.exe
          "C:\Users\Admin\AppData\Roaming\idk.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:460

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Infected.exe
    Filesize

    63KB

    MD5

    2f78d668a4ca22f400e30dfb8b28f47f

    SHA1

    98690e10a528b1944633c1dfc7006114020b4d30

    SHA256

    5a360eff532c0d083e250741c0607a4c7a7dff434c16d7b0512965752f6f8522

    SHA512

    b6157efc937711732c95719e204fdf50cbafa112fbd8db74280553b12cc91dc32652a5814ab583205df767d7c879a9abafabe68eb1784b8b3b4bfcb0d2fbca36

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpAF1C.tmp.bat
    Filesize

    147B

    MD5

    f926cc72bb0329043cd7bdf330076de0

    SHA1

    71ed2d555e2384e01d53b06cd5ca34fa4690c1a3

    SHA256

    9979e7677ec0e31fef6ca06d1b8efbe86219babbd1f738b299544c956fdd79cd

    SHA512

    3ac58b3a2d2210281f1cad498729e0a677fe437bd575214324faa2f6f20395c2780747c2026ca170cd3417aaa163dcd6c58daae7341c86b2600162bd37c0f6e3

    Download Submit

  • memory/1200-12-0x00007FFE77F03000-0x00007FFE77F05000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1200-13-0x00000000000D0000-0x00000000000E6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1200-14-0x00007FFE77F00000-0x00007FFE789C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1200-15-0x00007FFE77F00000-0x00007FFE789C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1200-20-0x00007FFE77F00000-0x00007FFE789C1000-memory.dmp

    Filesize

    10.8MB

    Download