Analysis
-
max time kernel
56s -
max time network
60s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
11-10-2022 18:18
Behavioral task
behavioral1
Sample
091087e7aa7c350baaf2bcd98e904a1c.exe
Resource
win7-20220901-en
General
-
Target
091087e7aa7c350baaf2bcd98e904a1c.exe
-
Size
208KB
-
MD5
091087e7aa7c350baaf2bcd98e904a1c
-
SHA1
2267aa2069e727acd7c68389655948173898c92a
-
SHA256
c23720918a8e7437696b641fad5fe9b76ac0cea2269ed1e741113c77e434cc00
-
SHA512
1e0cc48aef8147de5ddc7e04486761fd8a3fa4d11f4b68d8d21c9cc25d54e2e94f0d2f967e1b252597b52a7b6039f2ca3be6cca1248cd7586d7f56525fdf3505
-
SSDEEP
3072:kuoETxoZ2p3h3ba1UQXVe2CYCtSZZZZ8Ux:kuoz873b/klCYCtSZZZZ8W
Malware Config
Signatures
-
Async RAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1388-54-0x00000000012D0000-0x000000000130A000-memory.dmp asyncrat behavioral1/memory/1388-56-0x00000000008B0000-0x00000000008D6000-memory.dmp asyncrat behavioral1/memory/1388-57-0x0000000000C80000-0x0000000000CA4000-memory.dmp asyncrat -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2756 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2784 timeout.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
091087e7aa7c350baaf2bcd98e904a1c.exedescription pid process Token: SeDebugPrivilege 1388 091087e7aa7c350baaf2bcd98e904a1c.exe Token: SeDebugPrivilege 1388 091087e7aa7c350baaf2bcd98e904a1c.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
091087e7aa7c350baaf2bcd98e904a1c.execmd.exedescription pid process target process PID 1388 wrote to memory of 2756 1388 091087e7aa7c350baaf2bcd98e904a1c.exe cmd.exe PID 1388 wrote to memory of 2756 1388 091087e7aa7c350baaf2bcd98e904a1c.exe cmd.exe PID 1388 wrote to memory of 2756 1388 091087e7aa7c350baaf2bcd98e904a1c.exe cmd.exe PID 1388 wrote to memory of 2756 1388 091087e7aa7c350baaf2bcd98e904a1c.exe cmd.exe PID 2756 wrote to memory of 2784 2756 cmd.exe timeout.exe PID 2756 wrote to memory of 2784 2756 cmd.exe timeout.exe PID 2756 wrote to memory of 2784 2756 cmd.exe timeout.exe PID 2756 wrote to memory of 2784 2756 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\091087e7aa7c350baaf2bcd98e904a1c.exe"C:\Users\Admin\AppData\Local\Temp\091087e7aa7c350baaf2bcd98e904a1c.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpCD7A.tmp.bat""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpCD7A.tmp.batFilesize
184B
MD5db4f9a001ceb32b50220c3883712cf4d
SHA1baf4fc371cb8635f05a15a85b00721aad45a5155
SHA256960e8c6763ab73720a23a52c4e30edb2dad16eac1d2a3849fcc998e8b3b47916
SHA5123329d64b784eca4ffce18f70d6750afaec018c83c46b039bef12a720b075e2b7b6b0c2e9c88c37dc4f9e17fb66180c032a05b096ef8ec90f8ef04f6f828442cc
-
memory/1388-54-0x00000000012D0000-0x000000000130A000-memory.dmpFilesize
232KB
-
memory/1388-55-0x0000000075711000-0x0000000075713000-memory.dmpFilesize
8KB
-
memory/1388-56-0x00000000008B0000-0x00000000008D6000-memory.dmpFilesize
152KB
-
memory/1388-57-0x0000000000C80000-0x0000000000CA4000-memory.dmpFilesize
144KB
-
memory/2756-58-0x0000000000000000-mapping.dmp
-
memory/2784-60-0x0000000000000000-mapping.dmp