Analysis
-
max time kernel
144s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
21/03/2023, 02:44
Behavioral task
behavioral1
Sample
Launcher.exe
Resource
win7-20230220-en
General
-
Target
Launcher.exe
-
Size
309KB
-
MD5
66b5dabec55deb65ac6ecdbb385c9181
-
SHA1
8485dc1ecf501916e3850521e81112fccdfaa110
-
SHA256
9a8f8b44910d4c35a64244354966ce7bdd3bdff9189feee1d8e98b094c855138
-
SHA512
28ff7068f0d8c1d7e0de8a6129d64db7d566868dc93e9bb8ba4de737d11483f8dd52edc6f67799cdf3396109061835bce472a2123477bb9304f1ff902ffdffb8
-
SSDEEP
3072:WHuQETR+J2IoYcOXb/CPJDjSIU1dA+h9b3dA2/S1dAK3dA/Sf6CwCPuikC0oXz2T:ouQ1MIPXXbaQIDp5OqfO
Malware Config
Extracted
asyncrat
0.5.7B
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
127.0.0.1:1177
jntrojan.ddns.net:6606
jntrojan.ddns.net:7707
jntrojan.ddns.net:8808
jntrojan.ddns.net:1177
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
windows.exe
-
install_folder
%Temp%
Signatures
-
Async RAT payload 7 IoCs
resource yara_rule behavioral1/memory/1324-54-0x00000000003D0000-0x0000000000424000-memory.dmp asyncrat behavioral1/files/0x000b000000012302-65.dat asyncrat behavioral1/files/0x000b000000012302-66.dat asyncrat behavioral1/files/0x000b000000012302-67.dat asyncrat behavioral1/memory/560-68-0x00000000013A0000-0x00000000013F4000-memory.dmp asyncrat behavioral1/memory/560-69-0x00000000012B0000-0x00000000012F0000-memory.dmp asyncrat behavioral1/memory/560-70-0x00000000012B0000-0x00000000012F0000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
pid Process 560 windows.exe -
Loads dropped DLL 1 IoCs
pid Process 772 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1500 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1200 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1324 Launcher.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1324 Launcher.exe Token: SeDebugPrivilege 560 windows.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 1324 wrote to memory of 2004 1324 Launcher.exe 28 PID 1324 wrote to memory of 2004 1324 Launcher.exe 28 PID 1324 wrote to memory of 2004 1324 Launcher.exe 28 PID 1324 wrote to memory of 2004 1324 Launcher.exe 28 PID 1324 wrote to memory of 2004 1324 Launcher.exe 28 PID 1324 wrote to memory of 2004 1324 Launcher.exe 28 PID 1324 wrote to memory of 2004 1324 Launcher.exe 28 PID 1324 wrote to memory of 772 1324 Launcher.exe 30 PID 1324 wrote to memory of 772 1324 Launcher.exe 30 PID 1324 wrote to memory of 772 1324 Launcher.exe 30 PID 1324 wrote to memory of 772 1324 Launcher.exe 30 PID 1324 wrote to memory of 772 1324 Launcher.exe 30 PID 1324 wrote to memory of 772 1324 Launcher.exe 30 PID 1324 wrote to memory of 772 1324 Launcher.exe 30 PID 772 wrote to memory of 1200 772 cmd.exe 32 PID 772 wrote to memory of 1200 772 cmd.exe 32 PID 772 wrote to memory of 1200 772 cmd.exe 32 PID 772 wrote to memory of 1200 772 cmd.exe 32 PID 772 wrote to memory of 1200 772 cmd.exe 32 PID 772 wrote to memory of 1200 772 cmd.exe 32 PID 772 wrote to memory of 1200 772 cmd.exe 32 PID 2004 wrote to memory of 1500 2004 cmd.exe 33 PID 2004 wrote to memory of 1500 2004 cmd.exe 33 PID 2004 wrote to memory of 1500 2004 cmd.exe 33 PID 2004 wrote to memory of 1500 2004 cmd.exe 33 PID 2004 wrote to memory of 1500 2004 cmd.exe 33 PID 2004 wrote to memory of 1500 2004 cmd.exe 33 PID 2004 wrote to memory of 1500 2004 cmd.exe 33 PID 772 wrote to memory of 560 772 cmd.exe 34 PID 772 wrote to memory of 560 772 cmd.exe 34 PID 772 wrote to memory of 560 772 cmd.exe 34 PID 772 wrote to memory of 560 772 cmd.exe 34 PID 772 wrote to memory of 560 772 cmd.exe 34 PID 772 wrote to memory of 560 772 cmd.exe 34 PID 772 wrote to memory of 560 772 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\Launcher.exe"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windows" /tr '"C:\Users\Admin\AppData\Local\Temp\windows.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "windows" /tr '"C:\Users\Admin\AppData\Local\Temp\windows.exe"'3⤵
- Creates scheduled task(s)
PID:1500
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2711.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:1200
-
-
C:\Users\Admin\AppData\Local\Temp\windows.exe"C:\Users\Admin\AppData\Local\Temp\windows.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:560
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
154B
MD51996d284c52ae05d2e3338063945615d
SHA1522d58df6c2e2d617ac685130052fe260e0cef57
SHA2567b6570aa5a1445c5b86082271f6fd4e4313efcb48e731fd75e26cfed27a22013
SHA512b31292b02e350ce4b51b35386476ac5201f6e57a3781bbe07369fa7126dc77461564716d57b5cafa607a9edaa7c61e0733a0bfa606f598da0e54ac66b9a93d45
-
Filesize
154B
MD51996d284c52ae05d2e3338063945615d
SHA1522d58df6c2e2d617ac685130052fe260e0cef57
SHA2567b6570aa5a1445c5b86082271f6fd4e4313efcb48e731fd75e26cfed27a22013
SHA512b31292b02e350ce4b51b35386476ac5201f6e57a3781bbe07369fa7126dc77461564716d57b5cafa607a9edaa7c61e0733a0bfa606f598da0e54ac66b9a93d45
-
Filesize
309KB
MD566b5dabec55deb65ac6ecdbb385c9181
SHA18485dc1ecf501916e3850521e81112fccdfaa110
SHA2569a8f8b44910d4c35a64244354966ce7bdd3bdff9189feee1d8e98b094c855138
SHA51228ff7068f0d8c1d7e0de8a6129d64db7d566868dc93e9bb8ba4de737d11483f8dd52edc6f67799cdf3396109061835bce472a2123477bb9304f1ff902ffdffb8
-
Filesize
309KB
MD566b5dabec55deb65ac6ecdbb385c9181
SHA18485dc1ecf501916e3850521e81112fccdfaa110
SHA2569a8f8b44910d4c35a64244354966ce7bdd3bdff9189feee1d8e98b094c855138
SHA51228ff7068f0d8c1d7e0de8a6129d64db7d566868dc93e9bb8ba4de737d11483f8dd52edc6f67799cdf3396109061835bce472a2123477bb9304f1ff902ffdffb8
-
Filesize
309KB
MD566b5dabec55deb65ac6ecdbb385c9181
SHA18485dc1ecf501916e3850521e81112fccdfaa110
SHA2569a8f8b44910d4c35a64244354966ce7bdd3bdff9189feee1d8e98b094c855138
SHA51228ff7068f0d8c1d7e0de8a6129d64db7d566868dc93e9bb8ba4de737d11483f8dd52edc6f67799cdf3396109061835bce472a2123477bb9304f1ff902ffdffb8