Analysis Overview
SHA256
b9ddb91a6de8542f1bbf920fbf40cc84780e18a3865b4f6407b4b168af0d13c5
Threat Level: Known bad
The file Christine-Fink_ByZrar.scr was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Async RAT payload
Checks computer location settings
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-03-17 03:22
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-17 03:21
Reported
2023-03-17 03:23
Platform
win10v2004-20230220-en
Max time kernel
20s
Max time network
35s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Christine-Fink_ByZrar.scr | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Christine-Fink_ByZrar.scr | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\Christine-Fink_ByZrar.scr | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\csrss.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\csrss.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4404 wrote to memory of 4680 | N/A | C:\Users\Admin\AppData\Local\Temp\Christine-Fink_ByZrar.scr | C:\Users\Admin\AppData\Local\Temp\csrss.exe |
| PID 4404 wrote to memory of 4680 | N/A | C:\Users\Admin\AppData\Local\Temp\Christine-Fink_ByZrar.scr | C:\Users\Admin\AppData\Local\Temp\csrss.exe |
| PID 4404 wrote to memory of 4680 | N/A | C:\Users\Admin\AppData\Local\Temp\Christine-Fink_ByZrar.scr | C:\Users\Admin\AppData\Local\Temp\csrss.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Christine-Fink_ByZrar.scr
"C:\Users\Admin\AppData\Local\Temp\Christine-Fink_ByZrar.scr" /S
C:\Users\Admin\AppData\Local\Temp\csrss.exe
"C:\Users\Admin\AppData\Local\Temp\csrss.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| NL | 88.221.25.155:80 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.232.18.117.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.81.184.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 143.67.20.104.in-addr.arpa | udp |
Files
memory/4404-133-0x0000000000400000-0x0000000001400000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss.exe
| MD5 | 80536cf3325d6dbd0d961300bce4e707 |
| SHA1 | 58c1868bc443e509d9fa2d268c6bd0be66e52ebd |
| SHA256 | ddef87f68cddede60375bb1dc0b44842166362d04040851894a9583805bfd831 |
| SHA512 | 5786ffe93fa20e6adf359d2af94a6d27a793279361a6dbb0ab117b1aae93c306333dccaeeedfe7e6f435624a19a705afde9b4775d78d296f8caa1c2a71db298b |
C:\Users\Admin\AppData\Local\Temp\csrss.exe
| MD5 | 80536cf3325d6dbd0d961300bce4e707 |
| SHA1 | 58c1868bc443e509d9fa2d268c6bd0be66e52ebd |
| SHA256 | ddef87f68cddede60375bb1dc0b44842166362d04040851894a9583805bfd831 |
| SHA512 | 5786ffe93fa20e6adf359d2af94a6d27a793279361a6dbb0ab117b1aae93c306333dccaeeedfe7e6f435624a19a705afde9b4775d78d296f8caa1c2a71db298b |
C:\Users\Admin\AppData\Local\Temp\csrss.exe
| MD5 | 80536cf3325d6dbd0d961300bce4e707 |
| SHA1 | 58c1868bc443e509d9fa2d268c6bd0be66e52ebd |
| SHA256 | ddef87f68cddede60375bb1dc0b44842166362d04040851894a9583805bfd831 |
| SHA512 | 5786ffe93fa20e6adf359d2af94a6d27a793279361a6dbb0ab117b1aae93c306333dccaeeedfe7e6f435624a19a705afde9b4775d78d296f8caa1c2a71db298b |
memory/4680-214-0x0000000000E10000-0x0000000000E22000-memory.dmp