Analysis
-
max time kernel
42s -
max time network
49s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
30/03/2025, 19:28
Behavioral task
behavioral1
Sample
6d0670f3e16209d8c13b7b3ea7527be5d1df24ece0bf6f1026aefae0860db3dd.exe
Resource
win7-20240903-en
General
-
Target
6d0670f3e16209d8c13b7b3ea7527be5d1df24ece0bf6f1026aefae0860db3dd.exe
-
Size
48KB
-
MD5
4e0cec665c34fcac8a25c5facb5e09d1
-
SHA1
6c39b30a086b939a2df2607f68b223bacc239f06
-
SHA256
6d0670f3e16209d8c13b7b3ea7527be5d1df24ece0bf6f1026aefae0860db3dd
-
SHA512
d274cbd7d51d3dccd91d1577816e9be7308fc341c2832dceb798f6c2f3965ede75d724933a081f02bfc877337221fa1b59de4151900104379a63697e3f6b9967
-
SSDEEP
768:mIUR8bIL+Cyq+DiiwpzdiWpEicq8Yb/geQm0aHRvEgK/JXkVc6KN:mnIeiSiCzbIhgnkJXkVclN
Malware Config
Extracted
asyncrat
1.0.7
2025
up.nemesissoftlab.com:7777
2025
-
delay
1
-
install
true
-
install_file
svchost.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x000c000000024053-10.dat family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation 6d0670f3e16209d8c13b7b3ea7527be5d1df24ece0bf6f1026aefae0860db3dd.exe -
Executes dropped EXE 1 IoCs
pid Process 4776 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 4748 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4752 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 620 6d0670f3e16209d8c13b7b3ea7527be5d1df24ece0bf6f1026aefae0860db3dd.exe 620 6d0670f3e16209d8c13b7b3ea7527be5d1df24ece0bf6f1026aefae0860db3dd.exe 620 6d0670f3e16209d8c13b7b3ea7527be5d1df24ece0bf6f1026aefae0860db3dd.exe 620 6d0670f3e16209d8c13b7b3ea7527be5d1df24ece0bf6f1026aefae0860db3dd.exe 620 6d0670f3e16209d8c13b7b3ea7527be5d1df24ece0bf6f1026aefae0860db3dd.exe 620 6d0670f3e16209d8c13b7b3ea7527be5d1df24ece0bf6f1026aefae0860db3dd.exe 620 6d0670f3e16209d8c13b7b3ea7527be5d1df24ece0bf6f1026aefae0860db3dd.exe 620 6d0670f3e16209d8c13b7b3ea7527be5d1df24ece0bf6f1026aefae0860db3dd.exe 620 6d0670f3e16209d8c13b7b3ea7527be5d1df24ece0bf6f1026aefae0860db3dd.exe 620 6d0670f3e16209d8c13b7b3ea7527be5d1df24ece0bf6f1026aefae0860db3dd.exe 620 6d0670f3e16209d8c13b7b3ea7527be5d1df24ece0bf6f1026aefae0860db3dd.exe 620 6d0670f3e16209d8c13b7b3ea7527be5d1df24ece0bf6f1026aefae0860db3dd.exe 620 6d0670f3e16209d8c13b7b3ea7527be5d1df24ece0bf6f1026aefae0860db3dd.exe 620 6d0670f3e16209d8c13b7b3ea7527be5d1df24ece0bf6f1026aefae0860db3dd.exe 620 6d0670f3e16209d8c13b7b3ea7527be5d1df24ece0bf6f1026aefae0860db3dd.exe 620 6d0670f3e16209d8c13b7b3ea7527be5d1df24ece0bf6f1026aefae0860db3dd.exe 620 6d0670f3e16209d8c13b7b3ea7527be5d1df24ece0bf6f1026aefae0860db3dd.exe 620 6d0670f3e16209d8c13b7b3ea7527be5d1df24ece0bf6f1026aefae0860db3dd.exe 620 6d0670f3e16209d8c13b7b3ea7527be5d1df24ece0bf6f1026aefae0860db3dd.exe 620 6d0670f3e16209d8c13b7b3ea7527be5d1df24ece0bf6f1026aefae0860db3dd.exe 620 6d0670f3e16209d8c13b7b3ea7527be5d1df24ece0bf6f1026aefae0860db3dd.exe 620 6d0670f3e16209d8c13b7b3ea7527be5d1df24ece0bf6f1026aefae0860db3dd.exe 620 6d0670f3e16209d8c13b7b3ea7527be5d1df24ece0bf6f1026aefae0860db3dd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 620 6d0670f3e16209d8c13b7b3ea7527be5d1df24ece0bf6f1026aefae0860db3dd.exe Token: SeDebugPrivilege 4776 svchost.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 620 wrote to memory of 4692 620 6d0670f3e16209d8c13b7b3ea7527be5d1df24ece0bf6f1026aefae0860db3dd.exe 90 PID 620 wrote to memory of 4692 620 6d0670f3e16209d8c13b7b3ea7527be5d1df24ece0bf6f1026aefae0860db3dd.exe 90 PID 620 wrote to memory of 4892 620 6d0670f3e16209d8c13b7b3ea7527be5d1df24ece0bf6f1026aefae0860db3dd.exe 92 PID 620 wrote to memory of 4892 620 6d0670f3e16209d8c13b7b3ea7527be5d1df24ece0bf6f1026aefae0860db3dd.exe 92 PID 4692 wrote to memory of 4752 4692 cmd.exe 94 PID 4692 wrote to memory of 4752 4692 cmd.exe 94 PID 4892 wrote to memory of 4748 4892 cmd.exe 95 PID 4892 wrote to memory of 4748 4892 cmd.exe 95 PID 4892 wrote to memory of 4776 4892 cmd.exe 100 PID 4892 wrote to memory of 4776 4892 cmd.exe 100 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d0670f3e16209d8c13b7b3ea7527be5d1df24ece0bf6f1026aefae0860db3dd.exe"C:\Users\Admin\AppData\Local\Temp\6d0670f3e16209d8c13b7b3ea7527be5d1df24ece0bf6f1026aefae0860db3dd.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:4752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp48F0.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:4748
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4776
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151B
MD5c64e56b6e1ccb70f9ba61a7cf881616f
SHA19601253b65a4f598b32f360c3935e825f46d492a
SHA25611ee834107564f6d326de12740f7af5b4ae6a9dbe95cf109251eb4cbd1e8daf4
SHA5125d550faf55ef755e0d462af3ee6abcf76492538b1ad9c5e3a9abcd53122196fa75ca6f43053c3a1fe44d2391ff21a86cf8caa7b48120a48ac6c1f319216e14ee
-
Filesize
48KB
MD54e0cec665c34fcac8a25c5facb5e09d1
SHA16c39b30a086b939a2df2607f68b223bacc239f06
SHA2566d0670f3e16209d8c13b7b3ea7527be5d1df24ece0bf6f1026aefae0860db3dd
SHA512d274cbd7d51d3dccd91d1577816e9be7308fc341c2832dceb798f6c2f3965ede75d724933a081f02bfc877337221fa1b59de4151900104379a63697e3f6b9967