Analysis
-
max time kernel
58s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
05/05/2023, 01:27
Static task
static1
Behavioral task
behavioral1
Sample
35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe
Resource
win10v2004-20230220-en
General
-
Target
35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe
-
Size
899KB
-
MD5
c011326ff5f864290617144c3dddcc88
-
SHA1
257d10e95aeec5d8c63e4d1369c5cbf244568bf7
-
SHA256
35bc2054162c7288b55caecc386d129b5b03e2a97985f659913338195be78491
-
SHA512
894e43a4265c396b0721ea3fb99991047cc33aa36fc9f2f8fb47c5f66813a8226589b8ed045a1edc2279654cf3b933f413a434cf42f1fcd11f52ff3d6bd2a07a
-
SSDEEP
12288:qeU8P7AlfzNA1Na+tIHBvD0hECB8dIxZZeyAnE/sTZ32jQnQeH//WmrHcjhS:q8Cf0a+6ghEC7XV+8Qnjf/WmTGhS
Malware Config
Extracted
asyncrat
0.5.6D
Default
seznam.zapto.org:6606
seznam.zapto.org:7707
seznam.zapto.org:8808
milla.publicvm.com:6606
milla.publicvm.com:7707
milla.publicvm.com:8808
ycwqfldbyykswbufnmb
-
delay
5
-
install
true
-
install_file
microsafte.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 3 IoCs
resource yara_rule behavioral1/memory/1444-55-0x00000000003B0000-0x00000000003C2000-memory.dmp asyncrat behavioral1/memory/1444-56-0x0000000000A40000-0x0000000000A80000-memory.dmp asyncrat behavioral1/memory/540-70-0x0000000004B20000-0x0000000004B60000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
pid Process 540 microsafte.exe -
Loads dropped DLL 1 IoCs
pid Process 1736 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1788 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1724 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1444 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1444 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe Token: SeDebugPrivilege 540 microsafte.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1444 wrote to memory of 1728 1444 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 27 PID 1444 wrote to memory of 1728 1444 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 27 PID 1444 wrote to memory of 1728 1444 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 27 PID 1444 wrote to memory of 1728 1444 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 27 PID 1444 wrote to memory of 1736 1444 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 29 PID 1444 wrote to memory of 1736 1444 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 29 PID 1444 wrote to memory of 1736 1444 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 29 PID 1444 wrote to memory of 1736 1444 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe 29 PID 1736 wrote to memory of 1724 1736 cmd.exe 31 PID 1736 wrote to memory of 1724 1736 cmd.exe 31 PID 1736 wrote to memory of 1724 1736 cmd.exe 31 PID 1736 wrote to memory of 1724 1736 cmd.exe 31 PID 1728 wrote to memory of 1788 1728 cmd.exe 32 PID 1728 wrote to memory of 1788 1728 cmd.exe 32 PID 1728 wrote to memory of 1788 1728 cmd.exe 32 PID 1728 wrote to memory of 1788 1728 cmd.exe 32 PID 1736 wrote to memory of 540 1736 cmd.exe 33 PID 1736 wrote to memory of 540 1736 cmd.exe 33 PID 1736 wrote to memory of 540 1736 cmd.exe 33 PID 1736 wrote to memory of 540 1736 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe"C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /ru system /rl highest /tn 35BC2054162C7288B55CAECC386D129B5B03E2A97985F /tr '"C:\Users\Admin\AppData\Roaming\microsafte.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /ru system /rl highest /tn 35BC2054162C7288B55CAECC386D129B5B03E2A97985F /tr '"C:\Users\Admin\AppData\Roaming\microsafte.exe"'3⤵
- Creates scheduled task(s)
PID:1788
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8E1D.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:1724
-
-
C:\Users\Admin\AppData\Roaming\microsafte.exe"C:\Users\Admin\AppData\Roaming\microsafte.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:540
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
154B
MD5e6f1ca00b0ae08bed9fc92efb6bd61f6
SHA195eb579b30275734831f20425ecadc806fbc3c70
SHA256ff73f1801db2d5ada12bd96398e8751a9e0016f7b2adfc65af1e5250c2396e4c
SHA512842478c85d79debb703383c653ae15428724d1f9100ab9ccdf7c372ea2c41072957919a612bba432ab596e11a4c9b8b00b32753509ccad12e36ee66cce86956f
-
Filesize
154B
MD5e6f1ca00b0ae08bed9fc92efb6bd61f6
SHA195eb579b30275734831f20425ecadc806fbc3c70
SHA256ff73f1801db2d5ada12bd96398e8751a9e0016f7b2adfc65af1e5250c2396e4c
SHA512842478c85d79debb703383c653ae15428724d1f9100ab9ccdf7c372ea2c41072957919a612bba432ab596e11a4c9b8b00b32753509ccad12e36ee66cce86956f
-
Filesize
899KB
MD5c011326ff5f864290617144c3dddcc88
SHA1257d10e95aeec5d8c63e4d1369c5cbf244568bf7
SHA25635bc2054162c7288b55caecc386d129b5b03e2a97985f659913338195be78491
SHA512894e43a4265c396b0721ea3fb99991047cc33aa36fc9f2f8fb47c5f66813a8226589b8ed045a1edc2279654cf3b933f413a434cf42f1fcd11f52ff3d6bd2a07a
-
Filesize
899KB
MD5c011326ff5f864290617144c3dddcc88
SHA1257d10e95aeec5d8c63e4d1369c5cbf244568bf7
SHA25635bc2054162c7288b55caecc386d129b5b03e2a97985f659913338195be78491
SHA512894e43a4265c396b0721ea3fb99991047cc33aa36fc9f2f8fb47c5f66813a8226589b8ed045a1edc2279654cf3b933f413a434cf42f1fcd11f52ff3d6bd2a07a
-
Filesize
899KB
MD5c011326ff5f864290617144c3dddcc88
SHA1257d10e95aeec5d8c63e4d1369c5cbf244568bf7
SHA25635bc2054162c7288b55caecc386d129b5b03e2a97985f659913338195be78491
SHA512894e43a4265c396b0721ea3fb99991047cc33aa36fc9f2f8fb47c5f66813a8226589b8ed045a1edc2279654cf3b933f413a434cf42f1fcd11f52ff3d6bd2a07a