Analysis
-
max time kernel
144s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
26/04/2023, 20:23
Behavioral task
behavioral1
Sample
Client.exe
Resource
win7-20230220-en
General
-
Target
Client.exe
-
Size
47KB
-
MD5
ba749e000163c81a53234fcb21cdd2ee
-
SHA1
1650d6019a972f647ad8b58bab7648bd9311cc02
-
SHA256
f510b0b4cc33d862c3b1d9b35ee76563cf3044e5d85009d27a46177ab4332b7d
-
SHA512
91bb51faf1a3ba3ed3e2ee963642da71df3c9c4ffd4502142407fac1cc99f29fa33b0c73abf50f3e1f095252efbfc9fde6a35fece6002349f25c28837583f5d7
-
SSDEEP
768:gbERqILEWgg+jiltelDSN+iV08Ybyge3Tg/Rvu9vEgK/JrZVc6KN:cEgIltKDs4zb1AwJu9nkJrZVclN
Malware Config
Extracted
asyncrat
1.0.7
Default
127.0.0.1:8848
DcRatMutex_qwqdanchun
-
delay
2
-
install
true
-
install_file
app.exe
-
install_folder
%Temp%
Signatures
-
Async RAT payload 5 IoCs
resource yara_rule behavioral1/memory/1604-54-0x0000000000F60000-0x0000000000F72000-memory.dmp asyncrat behavioral1/files/0x000b0000000122da-67.dat asyncrat behavioral1/files/0x000b0000000122da-66.dat asyncrat behavioral1/memory/340-68-0x0000000000310000-0x0000000000322000-memory.dmp asyncrat behavioral1/memory/340-69-0x000000001B0D0000-0x000000001B150000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
pid Process 340 app.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 544 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 268 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1604 Client.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1604 Client.exe Token: SeDebugPrivilege 340 app.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1604 wrote to memory of 1520 1604 Client.exe 28 PID 1604 wrote to memory of 1520 1604 Client.exe 28 PID 1604 wrote to memory of 1520 1604 Client.exe 28 PID 1604 wrote to memory of 468 1604 Client.exe 30 PID 1604 wrote to memory of 468 1604 Client.exe 30 PID 1604 wrote to memory of 468 1604 Client.exe 30 PID 1520 wrote to memory of 544 1520 cmd.exe 32 PID 1520 wrote to memory of 544 1520 cmd.exe 32 PID 1520 wrote to memory of 544 1520 cmd.exe 32 PID 468 wrote to memory of 268 468 cmd.exe 33 PID 468 wrote to memory of 268 468 cmd.exe 33 PID 468 wrote to memory of 268 468 cmd.exe 33 PID 468 wrote to memory of 340 468 cmd.exe 34 PID 468 wrote to memory of 340 468 cmd.exe 34 PID 468 wrote to memory of 340 468 cmd.exe 34 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "app" /tr '"C:\Users\Admin\AppData\Local\Temp\app.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "app" /tr '"C:\Users\Admin\AppData\Local\Temp\app.exe"'3⤵
- Creates scheduled task(s)
PID:544
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC60.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:268
-
-
C:\Users\Admin\AppData\Local\Temp\app.exe"C:\Users\Admin\AppData\Local\Temp\app.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:340
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
47KB
MD5ba749e000163c81a53234fcb21cdd2ee
SHA11650d6019a972f647ad8b58bab7648bd9311cc02
SHA256f510b0b4cc33d862c3b1d9b35ee76563cf3044e5d85009d27a46177ab4332b7d
SHA51291bb51faf1a3ba3ed3e2ee963642da71df3c9c4ffd4502142407fac1cc99f29fa33b0c73abf50f3e1f095252efbfc9fde6a35fece6002349f25c28837583f5d7
-
Filesize
47KB
MD5ba749e000163c81a53234fcb21cdd2ee
SHA11650d6019a972f647ad8b58bab7648bd9311cc02
SHA256f510b0b4cc33d862c3b1d9b35ee76563cf3044e5d85009d27a46177ab4332b7d
SHA51291bb51faf1a3ba3ed3e2ee963642da71df3c9c4ffd4502142407fac1cc99f29fa33b0c73abf50f3e1f095252efbfc9fde6a35fece6002349f25c28837583f5d7
-
Filesize
149B
MD53b24f4704ba426eda5c011d35f467093
SHA1546c32d9f8a55b1734b6d87561f9f4001ace7df7
SHA256196246d927cdc9f8a263798ad041984be477162075bd152fadd3554190f85c98
SHA51249cce688f07f2aaa167de18707e4250c219533a6f6131173ffcc7a12fe2413e2031b7c72183d8b834c3c9113e436d2694020ed0d26902e6fadc9d3af52096cdd
-
Filesize
149B
MD53b24f4704ba426eda5c011d35f467093
SHA1546c32d9f8a55b1734b6d87561f9f4001ace7df7
SHA256196246d927cdc9f8a263798ad041984be477162075bd152fadd3554190f85c98
SHA51249cce688f07f2aaa167de18707e4250c219533a6f6131173ffcc7a12fe2413e2031b7c72183d8b834c3c9113e436d2694020ed0d26902e6fadc9d3af52096cdd