Analysis
-
max time kernel
59s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
05/05/2023, 01:26
Static task
static1
Behavioral task
behavioral1
Sample
35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe
Resource
win10v2004-20230220-en
General
-
Target
35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe
-
Size
899KB
-
MD5
c011326ff5f864290617144c3dddcc88
-
SHA1
257d10e95aeec5d8c63e4d1369c5cbf244568bf7
-
SHA256
35bc2054162c7288b55caecc386d129b5b03e2a97985f659913338195be78491
-
SHA512
894e43a4265c396b0721ea3fb99991047cc33aa36fc9f2f8fb47c5f66813a8226589b8ed045a1edc2279654cf3b933f413a434cf42f1fcd11f52ff3d6bd2a07a
-
SSDEEP
12288:qeU8P7AlfzNA1Na+tIHBvD0hECB8dIxZZeyAnE/sTZ32jQnQeH//WmrHcjhS:q8Cf0a+6ghEC7XV+8Qnjf/WmTGhS
Malware Config
Extracted
asyncrat
0.5.6D
Default
seznam.zapto.org:6606
seznam.zapto.org:7707
seznam.zapto.org:8808
milla.publicvm.com:6606
milla.publicvm.com:7707
milla.publicvm.com:8808
ycwqfldbyykswbufnmb
-
delay
5
-
install
true
-
install_file
microsafte.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 2 IoCs
resource yara_rule behavioral1/memory/1240-55-0x0000000000370000-0x0000000000382000-memory.dmp asyncrat behavioral1/memory/1240-56-0x0000000004A10000-0x0000000004A50000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
pid Process 432 microsafte.exe -
Loads dropped DLL 1 IoCs
pid Process 740 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 516 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 872 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1240 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1240 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe Token: SeDebugPrivilege 432 microsafte.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1240 wrote to memory of 1440 1240 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 27 PID 1240 wrote to memory of 1440 1240 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 27 PID 1240 wrote to memory of 1440 1240 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 27 PID 1240 wrote to memory of 1440 1240 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 27 PID 1240 wrote to memory of 740 1240 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 29 PID 1240 wrote to memory of 740 1240 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 29 PID 1240 wrote to memory of 740 1240 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 29 PID 1240 wrote to memory of 740 1240 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 29 PID 1440 wrote to memory of 516 1440 cmd.exe 31 PID 1440 wrote to memory of 516 1440 cmd.exe 31 PID 1440 wrote to memory of 516 1440 cmd.exe 31 PID 1440 wrote to memory of 516 1440 cmd.exe 31 PID 740 wrote to memory of 872 740 cmd.exe 32 PID 740 wrote to memory of 872 740 cmd.exe 32 PID 740 wrote to memory of 872 740 cmd.exe 32 PID 740 wrote to memory of 872 740 cmd.exe 32 PID 740 wrote to memory of 432 740 cmd.exe 33 PID 740 wrote to memory of 432 740 cmd.exe 33 PID 740 wrote to memory of 432 740 cmd.exe 33 PID 740 wrote to memory of 432 740 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe"C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /ru system /rl highest /tn 35BC2054162C7288B55CAECC386D129B5B03E2A97985F /tr '"C:\Users\Admin\AppData\Roaming\microsafte.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /ru system /rl highest /tn 35BC2054162C7288B55CAECC386D129B5B03E2A97985F /tr '"C:\Users\Admin\AppData\Roaming\microsafte.exe"'3⤵
- Creates scheduled task(s)
PID:516
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpABF9.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:872
-
-
C:\Users\Admin\AppData\Roaming\microsafte.exe"C:\Users\Admin\AppData\Roaming\microsafte.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:432
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
154B
MD547d6f66c4cb05a3cfa0971179dd19972
SHA18fec647f8c206a4bc41d1780b92010d7f97b903c
SHA25636af6bddcf9cfb0147f47da5f7a9dbf4d5ffe7e1bee8d3af34fb7be1303d2fce
SHA512d89a68be09075545f31cc3f9acf10e5acfb1f8b70ee50184d3dff16e5d664a790543453f1f7e50596401c2802f4e6b912da037b785d7d1c95949a1d2ace31997
-
Filesize
154B
MD547d6f66c4cb05a3cfa0971179dd19972
SHA18fec647f8c206a4bc41d1780b92010d7f97b903c
SHA25636af6bddcf9cfb0147f47da5f7a9dbf4d5ffe7e1bee8d3af34fb7be1303d2fce
SHA512d89a68be09075545f31cc3f9acf10e5acfb1f8b70ee50184d3dff16e5d664a790543453f1f7e50596401c2802f4e6b912da037b785d7d1c95949a1d2ace31997
-
Filesize
899KB
MD5c011326ff5f864290617144c3dddcc88
SHA1257d10e95aeec5d8c63e4d1369c5cbf244568bf7
SHA25635bc2054162c7288b55caecc386d129b5b03e2a97985f659913338195be78491
SHA512894e43a4265c396b0721ea3fb99991047cc33aa36fc9f2f8fb47c5f66813a8226589b8ed045a1edc2279654cf3b933f413a434cf42f1fcd11f52ff3d6bd2a07a
-
Filesize
899KB
MD5c011326ff5f864290617144c3dddcc88
SHA1257d10e95aeec5d8c63e4d1369c5cbf244568bf7
SHA25635bc2054162c7288b55caecc386d129b5b03e2a97985f659913338195be78491
SHA512894e43a4265c396b0721ea3fb99991047cc33aa36fc9f2f8fb47c5f66813a8226589b8ed045a1edc2279654cf3b933f413a434cf42f1fcd11f52ff3d6bd2a07a
-
Filesize
899KB
MD5c011326ff5f864290617144c3dddcc88
SHA1257d10e95aeec5d8c63e4d1369c5cbf244568bf7
SHA25635bc2054162c7288b55caecc386d129b5b03e2a97985f659913338195be78491
SHA512894e43a4265c396b0721ea3fb99991047cc33aa36fc9f2f8fb47c5f66813a8226589b8ed045a1edc2279654cf3b933f413a434cf42f1fcd11f52ff3d6bd2a07a