Analysis
-
max time kernel
59s -
max time network
61s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
30/03/2025, 19:19
Behavioral task
behavioral1
Sample
93dc353da2ebdd6a3cec8e1d2401f88284001e2083628c40c4cf06a7c8f92a64.exe
Resource
win7-20241023-en
General
-
Target
93dc353da2ebdd6a3cec8e1d2401f88284001e2083628c40c4cf06a7c8f92a64.exe
-
Size
47KB
-
MD5
9cd4cecc2222edd87b47d91699994f1b
-
SHA1
4adaad47a38b75be90ce2c09e03570573aa25668
-
SHA256
93dc353da2ebdd6a3cec8e1d2401f88284001e2083628c40c4cf06a7c8f92a64
-
SHA512
9a662a47455183be5bd09e81551bcf8e1d632da4fcbc24be0af52b08f1a9eda7ebf9f2c9449ec0e0a238bde95cfc00e828bdfe82c8d23e493651c77bcecf61b9
-
SSDEEP
768:kV0aWbILWCaS+Dimiiv68YbugD4xE0RtvEgK/JjZVc6KN:k6aMWzzbRiECnkJjZVclN
Malware Config
Extracted
asyncrat
1.0.7
7777
up.nemesissoftlab.com:7777
7
-
delay
1
-
install
true
-
install_file
usb.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x0009000000012117-14.dat family_asyncrat -
Executes dropped EXE 1 IoCs
pid Process 2824 usb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 2468 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2124 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2596 93dc353da2ebdd6a3cec8e1d2401f88284001e2083628c40c4cf06a7c8f92a64.exe 2596 93dc353da2ebdd6a3cec8e1d2401f88284001e2083628c40c4cf06a7c8f92a64.exe 2596 93dc353da2ebdd6a3cec8e1d2401f88284001e2083628c40c4cf06a7c8f92a64.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2596 93dc353da2ebdd6a3cec8e1d2401f88284001e2083628c40c4cf06a7c8f92a64.exe Token: SeDebugPrivilege 2824 usb.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2596 wrote to memory of 2308 2596 93dc353da2ebdd6a3cec8e1d2401f88284001e2083628c40c4cf06a7c8f92a64.exe 30 PID 2596 wrote to memory of 2308 2596 93dc353da2ebdd6a3cec8e1d2401f88284001e2083628c40c4cf06a7c8f92a64.exe 30 PID 2596 wrote to memory of 2308 2596 93dc353da2ebdd6a3cec8e1d2401f88284001e2083628c40c4cf06a7c8f92a64.exe 30 PID 2596 wrote to memory of 2080 2596 93dc353da2ebdd6a3cec8e1d2401f88284001e2083628c40c4cf06a7c8f92a64.exe 32 PID 2596 wrote to memory of 2080 2596 93dc353da2ebdd6a3cec8e1d2401f88284001e2083628c40c4cf06a7c8f92a64.exe 32 PID 2596 wrote to memory of 2080 2596 93dc353da2ebdd6a3cec8e1d2401f88284001e2083628c40c4cf06a7c8f92a64.exe 32 PID 2308 wrote to memory of 2124 2308 cmd.exe 34 PID 2308 wrote to memory of 2124 2308 cmd.exe 34 PID 2308 wrote to memory of 2124 2308 cmd.exe 34 PID 2080 wrote to memory of 2468 2080 cmd.exe 35 PID 2080 wrote to memory of 2468 2080 cmd.exe 35 PID 2080 wrote to memory of 2468 2080 cmd.exe 35 PID 2080 wrote to memory of 2824 2080 cmd.exe 36 PID 2080 wrote to memory of 2824 2080 cmd.exe 36 PID 2080 wrote to memory of 2824 2080 cmd.exe 36 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\93dc353da2ebdd6a3cec8e1d2401f88284001e2083628c40c4cf06a7c8f92a64.exe"C:\Users\Admin\AppData\Local\Temp\93dc353da2ebdd6a3cec8e1d2401f88284001e2083628c40c4cf06a7c8f92a64.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "usb" /tr '"C:\Users\Admin\AppData\Roaming\usb.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "usb" /tr '"C:\Users\Admin\AppData\Roaming\usb.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:2124
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpAE87.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2468
-
-
C:\Users\Admin\AppData\Roaming\usb.exe"C:\Users\Admin\AppData\Roaming\usb.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147B
MD53ef33752cd028d34bd87ec98ce4cf914
SHA145e5e67974898b8aab1e683102e3db45f280d973
SHA25606658372e072f00990a0d144ac8afcd44e813cdf36d226e69d73ddd56abbb9b8
SHA512bde6ddf04ba68495a2e3fc48a501188ad6c61d4a70756fc6a9a8c71fbb5c5c40d0a4a39314ce6f16a77eddd6b5c5bc99039d3826e9c2cf06450164e8091972a4
-
Filesize
47KB
MD59cd4cecc2222edd87b47d91699994f1b
SHA14adaad47a38b75be90ce2c09e03570573aa25668
SHA25693dc353da2ebdd6a3cec8e1d2401f88284001e2083628c40c4cf06a7c8f92a64
SHA5129a662a47455183be5bd09e81551bcf8e1d632da4fcbc24be0af52b08f1a9eda7ebf9f2c9449ec0e0a238bde95cfc00e828bdfe82c8d23e493651c77bcecf61b9