Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
26/04/2023, 20:23
Behavioral task
behavioral1
Sample
Client.exe
Resource
win7-20230220-en
General
-
Target
Client.exe
-
Size
47KB
-
MD5
ba749e000163c81a53234fcb21cdd2ee
-
SHA1
1650d6019a972f647ad8b58bab7648bd9311cc02
-
SHA256
f510b0b4cc33d862c3b1d9b35ee76563cf3044e5d85009d27a46177ab4332b7d
-
SHA512
91bb51faf1a3ba3ed3e2ee963642da71df3c9c4ffd4502142407fac1cc99f29fa33b0c73abf50f3e1f095252efbfc9fde6a35fece6002349f25c28837583f5d7
-
SSDEEP
768:gbERqILEWgg+jiltelDSN+iV08Ybyge3Tg/Rvu9vEgK/JrZVc6KN:cEgIltKDs4zb1AwJu9nkJrZVclN
Malware Config
Extracted
asyncrat
1.0.7
Default
127.0.0.1:8848
DcRatMutex_qwqdanchun
-
delay
2
-
install
true
-
install_file
app.exe
-
install_folder
%Temp%
Signatures
-
Async RAT payload 3 IoCs
resource yara_rule behavioral2/memory/3280-133-0x0000000000960000-0x0000000000972000-memory.dmp asyncrat behavioral2/files/0x000400000000073b-141.dat asyncrat behavioral2/files/0x000400000000073b-142.dat asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 1 IoCs
pid Process 4248 app.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3392 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 32 timeout.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 3280 Client.exe 3280 Client.exe 3280 Client.exe 3280 Client.exe 3280 Client.exe 3280 Client.exe 3280 Client.exe 3280 Client.exe 3280 Client.exe 3280 Client.exe 3280 Client.exe 3280 Client.exe 3280 Client.exe 3280 Client.exe 3280 Client.exe 3280 Client.exe 3280 Client.exe 3280 Client.exe 3280 Client.exe 3280 Client.exe 3280 Client.exe 3280 Client.exe 3280 Client.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3280 Client.exe Token: SeDebugPrivilege 4248 app.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 3280 wrote to memory of 1556 3280 Client.exe 87 PID 3280 wrote to memory of 1556 3280 Client.exe 87 PID 3280 wrote to memory of 1512 3280 Client.exe 89 PID 3280 wrote to memory of 1512 3280 Client.exe 89 PID 1512 wrote to memory of 32 1512 cmd.exe 91 PID 1512 wrote to memory of 32 1512 cmd.exe 91 PID 1556 wrote to memory of 3392 1556 cmd.exe 92 PID 1556 wrote to memory of 3392 1556 cmd.exe 92 PID 1512 wrote to memory of 4248 1512 cmd.exe 94 PID 1512 wrote to memory of 4248 1512 cmd.exe 94 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "app" /tr '"C:\Users\Admin\AppData\Local\Temp\app.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "app" /tr '"C:\Users\Admin\AppData\Local\Temp\app.exe"'3⤵
- Creates scheduled task(s)
PID:3392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCA79.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:32
-
-
C:\Users\Admin\AppData\Local\Temp\app.exe"C:\Users\Admin\AppData\Local\Temp\app.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4248
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
47KB
MD5ba749e000163c81a53234fcb21cdd2ee
SHA11650d6019a972f647ad8b58bab7648bd9311cc02
SHA256f510b0b4cc33d862c3b1d9b35ee76563cf3044e5d85009d27a46177ab4332b7d
SHA51291bb51faf1a3ba3ed3e2ee963642da71df3c9c4ffd4502142407fac1cc99f29fa33b0c73abf50f3e1f095252efbfc9fde6a35fece6002349f25c28837583f5d7
-
Filesize
47KB
MD5ba749e000163c81a53234fcb21cdd2ee
SHA11650d6019a972f647ad8b58bab7648bd9311cc02
SHA256f510b0b4cc33d862c3b1d9b35ee76563cf3044e5d85009d27a46177ab4332b7d
SHA51291bb51faf1a3ba3ed3e2ee963642da71df3c9c4ffd4502142407fac1cc99f29fa33b0c73abf50f3e1f095252efbfc9fde6a35fece6002349f25c28837583f5d7
-
Filesize
150B
MD5cafae8c8ce10f629eb6c1bebd16af8d6
SHA1d9bd95052291908cc25662424956b43c3de5f783
SHA256eae0e843390e926757e8628bbc344e33ab9409d11dd6f67a6e081a2bd65d1edf
SHA512edfd4c30d696fcc90695c9b2d576a7a440c34bbd19d0e6007f309d67fbdf035fb58e03002578d27de49ad1c265191b28cd8ece6aba59d64ccd0fe6935033751c