Analysis
-
max time kernel
153s -
max time network
207s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 07:58
Static task
static1
Behavioral task
behavioral1
Sample
a.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a.exe
Resource
win10v2004-20220812-en
General
-
Target
a.exe
-
Size
1.4MB
-
MD5
8a627782b855f06a3d6d273d11f04f46
-
SHA1
30570c697533fc3fc7a19ad5d4bc3753f2cf1c0b
-
SHA256
f0b7a0368fc27d98d42efd4e9c9dd2c252e5fcaaf13ffd67b3c545ec5b1c53e9
-
SHA512
211fed71bcb75201380921a7de7bf8b88c451a5125f751be616a1775ad3c6a1d59ecc77aa997b053583c1a7d6419e4cfa8ff9bc99d50d1440bf34943d2c1a578
-
SSDEEP
24576:xirh2DKsuoIj4G6KFined4e5+MRicaRT4D2aKpq9ZEjrTnFOyzhyz:Ir0DfFpG6S68+KaRTWNKpEEfTnF
Malware Config
Extracted
asyncrat
XieBroRAT-1.7
Default
127.0.0.1:8880
8079048a.e2.luyouxia.net:8880
gorousdwoqxqqq
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1376-66-0x00000000029A0000-0x00000000029B2000-memory.dmp asyncrat -
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exeflow pid process 8 1376 powershell.exe 10 1376 powershell.exe 11 1376 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1376 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1376 powershell.exe Token: SeDebugPrivilege 1376 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
a.exedescription pid process target process PID 1208 wrote to memory of 1376 1208 a.exe powershell.exe PID 1208 wrote to memory of 1376 1208 a.exe powershell.exe PID 1208 wrote to memory of 1376 1208 a.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a.exe"C:\Users\Admin\AppData\Local\Temp\a.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -F C:\ProgramData\test.ps12⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\test.ps1Filesize
310KB
MD5220e9238b05cb802d63f7d79d11b2a32
SHA177324ddee92b5ee1c2d50680ea15dd6e28ef402b
SHA256248d8893d926c765d168bd48211650094dbcf8a8988c448f3b271c41bec8ca9d
SHA512748f9149ceaa46789938d66a87dad5c92a9beea65a7c84c07fa42378fdee70b1340d777fcfc78efcd85254660fd4a858fe10bd83464564cde7b12c01ebbcdb7a
-
memory/1208-54-0x000007FEFBA21000-0x000007FEFBA23000-memory.dmpFilesize
8KB
-
memory/1376-55-0x0000000000000000-mapping.dmp
-
memory/1376-57-0x000007FEF3C60000-0x000007FEF4683000-memory.dmpFilesize
10.1MB
-
memory/1376-58-0x000007FEF3100000-0x000007FEF3C5D000-memory.dmpFilesize
11.4MB
-
memory/1376-59-0x00000000025A4000-0x00000000025A7000-memory.dmpFilesize
12KB
-
memory/1376-60-0x000000001B790000-0x000000001BA8F000-memory.dmpFilesize
3.0MB
-
memory/1376-62-0x00000000025AB000-0x00000000025CA000-memory.dmpFilesize
124KB
-
memory/1376-63-0x00000000024B0000-0x00000000024C5000-memory.dmpFilesize
84KB
-
memory/1376-64-0x00000000025A4000-0x00000000025A7000-memory.dmpFilesize
12KB
-
memory/1376-65-0x00000000025AB000-0x00000000025CA000-memory.dmpFilesize
124KB
-
memory/1376-66-0x00000000029A0000-0x00000000029B2000-memory.dmpFilesize
72KB