Analysis
-
max time kernel
57s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
05/05/2023, 01:26
Static task
static1
Behavioral task
behavioral1
Sample
35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe
Resource
win10v2004-20230221-en
General
-
Target
35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe
-
Size
899KB
-
MD5
c011326ff5f864290617144c3dddcc88
-
SHA1
257d10e95aeec5d8c63e4d1369c5cbf244568bf7
-
SHA256
35bc2054162c7288b55caecc386d129b5b03e2a97985f659913338195be78491
-
SHA512
894e43a4265c396b0721ea3fb99991047cc33aa36fc9f2f8fb47c5f66813a8226589b8ed045a1edc2279654cf3b933f413a434cf42f1fcd11f52ff3d6bd2a07a
-
SSDEEP
12288:qeU8P7AlfzNA1Na+tIHBvD0hECB8dIxZZeyAnE/sTZ32jQnQeH//WmrHcjhS:q8Cf0a+6ghEC7XV+8Qnjf/WmTGhS
Malware Config
Extracted
asyncrat
0.5.6D
Default
seznam.zapto.org:6606
seznam.zapto.org:7707
seznam.zapto.org:8808
milla.publicvm.com:6606
milla.publicvm.com:7707
milla.publicvm.com:8808
ycwqfldbyykswbufnmb
-
delay
5
-
install
true
-
install_file
microsafte.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 3 IoCs
resource yara_rule behavioral1/memory/1972-55-0x00000000002F0000-0x0000000000302000-memory.dmp asyncrat behavioral1/memory/1972-56-0x0000000004C30000-0x0000000004C70000-memory.dmp asyncrat behavioral1/memory/1164-70-0x0000000004CF0000-0x0000000004D30000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
pid Process 1164 microsafte.exe -
Loads dropped DLL 1 IoCs
pid Process 1748 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1708 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2012 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1972 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1972 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe Token: SeDebugPrivilege 1164 microsafte.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1972 wrote to memory of 1428 1972 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 27 PID 1972 wrote to memory of 1428 1972 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 27 PID 1972 wrote to memory of 1428 1972 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 27 PID 1972 wrote to memory of 1428 1972 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 27 PID 1972 wrote to memory of 1748 1972 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 29 PID 1972 wrote to memory of 1748 1972 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 29 PID 1972 wrote to memory of 1748 1972 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 29 PID 1972 wrote to memory of 1748 1972 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 29 PID 1428 wrote to memory of 1708 1428 cmd.exe 31 PID 1428 wrote to memory of 1708 1428 cmd.exe 31 PID 1428 wrote to memory of 1708 1428 cmd.exe 31 PID 1428 wrote to memory of 1708 1428 cmd.exe 31 PID 1748 wrote to memory of 2012 1748 cmd.exe 32 PID 1748 wrote to memory of 2012 1748 cmd.exe 32 PID 1748 wrote to memory of 2012 1748 cmd.exe 32 PID 1748 wrote to memory of 2012 1748 cmd.exe 32 PID 1748 wrote to memory of 1164 1748 cmd.exe 33 PID 1748 wrote to memory of 1164 1748 cmd.exe 33 PID 1748 wrote to memory of 1164 1748 cmd.exe 33 PID 1748 wrote to memory of 1164 1748 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe"C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /ru system /rl highest /tn 35BC2054162C7288B55CAECC386D129B5B03E2A97985F /tr '"C:\Users\Admin\AppData\Roaming\microsafte.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /ru system /rl highest /tn 35BC2054162C7288B55CAECC386D129B5B03E2A97985F /tr '"C:\Users\Admin\AppData\Roaming\microsafte.exe"'3⤵
- Creates scheduled task(s)
PID:1708
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp979F.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2012
-
-
C:\Users\Admin\AppData\Roaming\microsafte.exe"C:\Users\Admin\AppData\Roaming\microsafte.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1164
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
154B
MD5c0e47243cf886f25ba5f9b5297cbf134
SHA1968badeea011e1164234bf8462630ede29a094f1
SHA2564e3dc7bb575820da992597b43bca9fce6170ddce880aa42e9ad530be6c4f8f44
SHA5125b1b9e89e97a193d8bc50a07e96c842c73af3910b240f785a4a29ff403bb0624b09129632eca1bf9128854a08894b276cbcd173456afca102c43791b8a01c7a1
-
Filesize
154B
MD5c0e47243cf886f25ba5f9b5297cbf134
SHA1968badeea011e1164234bf8462630ede29a094f1
SHA2564e3dc7bb575820da992597b43bca9fce6170ddce880aa42e9ad530be6c4f8f44
SHA5125b1b9e89e97a193d8bc50a07e96c842c73af3910b240f785a4a29ff403bb0624b09129632eca1bf9128854a08894b276cbcd173456afca102c43791b8a01c7a1
-
Filesize
899KB
MD5c011326ff5f864290617144c3dddcc88
SHA1257d10e95aeec5d8c63e4d1369c5cbf244568bf7
SHA25635bc2054162c7288b55caecc386d129b5b03e2a97985f659913338195be78491
SHA512894e43a4265c396b0721ea3fb99991047cc33aa36fc9f2f8fb47c5f66813a8226589b8ed045a1edc2279654cf3b933f413a434cf42f1fcd11f52ff3d6bd2a07a
-
Filesize
899KB
MD5c011326ff5f864290617144c3dddcc88
SHA1257d10e95aeec5d8c63e4d1369c5cbf244568bf7
SHA25635bc2054162c7288b55caecc386d129b5b03e2a97985f659913338195be78491
SHA512894e43a4265c396b0721ea3fb99991047cc33aa36fc9f2f8fb47c5f66813a8226589b8ed045a1edc2279654cf3b933f413a434cf42f1fcd11f52ff3d6bd2a07a
-
Filesize
899KB
MD5c011326ff5f864290617144c3dddcc88
SHA1257d10e95aeec5d8c63e4d1369c5cbf244568bf7
SHA25635bc2054162c7288b55caecc386d129b5b03e2a97985f659913338195be78491
SHA512894e43a4265c396b0721ea3fb99991047cc33aa36fc9f2f8fb47c5f66813a8226589b8ed045a1edc2279654cf3b933f413a434cf42f1fcd11f52ff3d6bd2a07a