Analysis
-
max time kernel
76s -
max time network
78s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02-02-2023 19:08
Behavioral task
behavioral1
Sample
bJwE.exe
Resource
win7-20220812-en
General
-
Target
bJwE.exe
-
Size
47KB
-
MD5
a19f3395e7a7f2981eccd6448d6921aa
-
SHA1
09c6a9dbff7f8dbd3c57946e686adedf9b9a1702
-
SHA256
4f23c0742d9a19732acdcc777b4168366d4762b7f9fa553d1dbc62b68378cc97
-
SHA512
9a8dc4c29cea92969e1f2e9974db056f5aa25f9ca46bc70b61da141e964d136ccfbb961b9113de5b984682e7cd89bb16864349075e963c2e0d47ea205161940a
-
SSDEEP
768:p96mxUTILWCaS+DiMtelDSN+iV08YbygePr7DlPlXWvEgK/JnZVc6KN:p96AKWMtKDs4zb1ulPlXWnkJnZVclN
Malware Config
Extracted
asyncrat
1.0.7
Default
gkAyQRdKkCButk6TyMAZ
-
delay
1
-
install
false
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/FcHGaN0M
Signatures
-
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1976-54-0x0000000001110000-0x0000000001122000-memory.dmp asyncrat behavioral1/memory/1976-55-0x0000000000B20000-0x0000000000B84000-memory.dmp asyncrat -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1880 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 920 timeout.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bJwE.exedescription pid process Token: SeDebugPrivilege 1976 bJwE.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
bJwE.execmd.exedescription pid process target process PID 1976 wrote to memory of 1880 1976 bJwE.exe cmd.exe PID 1976 wrote to memory of 1880 1976 bJwE.exe cmd.exe PID 1976 wrote to memory of 1880 1976 bJwE.exe cmd.exe PID 1880 wrote to memory of 920 1880 cmd.exe timeout.exe PID 1880 wrote to memory of 920 1880 cmd.exe timeout.exe PID 1880 wrote to memory of 920 1880 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bJwE.exe"C:\Users\Admin\AppData\Local\Temp\bJwE.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp106E.tmp.bat""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp106E.tmp.batFilesize
156B
MD5ac3e962ddcf923f13b37007570274d7b
SHA1757f1c4695eb505b08fb16cfb5f1802bc03b3329
SHA256ea8d80f3131f5e8f64d840970aeab8993c6ab96ec4960da3b7965c99f2349795
SHA51239a47c05a8a1f2e96381d734fe9927a6e50843f947cea04115edc4fcb7c2ef98f811b3ff669bba2606d95d01a7b9b58c4e4866b4d28cc6fa9c3abbb28e02b1c8
-
memory/920-58-0x0000000000000000-mapping.dmp
-
memory/1880-56-0x0000000000000000-mapping.dmp
-
memory/1976-54-0x0000000001110000-0x0000000001122000-memory.dmpFilesize
72KB
-
memory/1976-55-0x0000000000B20000-0x0000000000B84000-memory.dmpFilesize
400KB