Analysis
-
max time kernel
37s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
05/05/2023, 01:30
Behavioral task
behavioral1
Sample
1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe
Resource
win7-20230220-en
General
-
Target
1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe
-
Size
72KB
-
MD5
6ddcee176a864b67cd4cff577c28cdf1
-
SHA1
c69292e4ec9128ccc4de351f39a48d1bd3f439e6
-
SHA256
5bf8102edefe3e55a0e33207fdbf359f71477f70856745bc4e626cc72d498cd6
-
SHA512
3482d4da78c96ca3d404d97547ee21ff1651339bb5ae01f107399705f6a73bbd26e1f0a0761b0625427373cc688812e43483774a754c1f9a0bce9ff16e322ff4
-
SSDEEP
768:8oXyvMOgs2/W4G9mxNf13wRCn1OCDyjb5gr3irIWSpo7niClZR2tYcFmVc6K:8oX4MOg/PAUVebWrSvSpurRKmVcl
Malware Config
Extracted
asyncrat
0.5.6D
Default
seznam.zapto.org:6606
seznam.zapto.org:7707
seznam.zapto.org:8808
milla.publicvm.com:6606
milla.publicvm.com:7707
milla.publicvm.com:8808
ycwqfldbyykswbufnmb
-
delay
5
-
install
true
-
install_file
microsafte.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 5 IoCs
resource yara_rule behavioral1/memory/1724-54-0x0000000001070000-0x0000000001082000-memory.dmp asyncrat behavioral1/files/0x000b0000000122fe-66.dat asyncrat behavioral1/files/0x000b0000000122fe-67.dat asyncrat behavioral1/memory/1496-68-0x0000000000E60000-0x0000000000E72000-memory.dmp asyncrat behavioral1/memory/1496-69-0x00000000002E0000-0x0000000000360000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
pid Process 1496 microsafte.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1720 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1500 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1724 1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1724 1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe Token: SeDebugPrivilege 1496 microsafte.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1724 wrote to memory of 684 1724 1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe 27 PID 1724 wrote to memory of 684 1724 1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe 27 PID 1724 wrote to memory of 684 1724 1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe 27 PID 1724 wrote to memory of 584 1724 1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe 29 PID 1724 wrote to memory of 584 1724 1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe 29 PID 1724 wrote to memory of 584 1724 1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe 29 PID 684 wrote to memory of 1720 684 cmd.exe 31 PID 684 wrote to memory of 1720 684 cmd.exe 31 PID 684 wrote to memory of 1720 684 cmd.exe 31 PID 584 wrote to memory of 1500 584 cmd.exe 32 PID 584 wrote to memory of 1500 584 cmd.exe 32 PID 584 wrote to memory of 1500 584 cmd.exe 32 PID 584 wrote to memory of 1496 584 cmd.exe 33 PID 584 wrote to memory of 1496 584 cmd.exe 33 PID 584 wrote to memory of 1496 584 cmd.exe 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe"C:\Users\Admin\AppData\Local\Temp\1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /ru system /rl highest /tn 1444-55-0x00000000003B0000-0x00000000003C2000-memory /tr '"C:\Users\Admin\AppData\Roaming\microsafte.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /ru system /rl highest /tn 1444-55-0x00000000003B0000-0x00000000003C2000-memory /tr '"C:\Users\Admin\AppData\Roaming\microsafte.exe"'3⤵
- Creates scheduled task(s)
PID:1720
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp539D.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:1500
-
-
C:\Users\Admin\AppData\Roaming\microsafte.exe"C:\Users\Admin\AppData\Roaming\microsafte.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1496
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
154B
MD59d7c17510bd9a7f5d147bba191ec8f3d
SHA15ea7ef7a2d6231ce9bc2e3579b62799e13e6a7fc
SHA256fde6a38b85d06cc994bab5f13548f4e6e045c26b727ba7ec387b52fcd721bdca
SHA5127e7bebedff0a353afd4fd012afee93368f76f7bfca036d60596039b02c7fc2005ccdf0fd8b2d0c4306ea2887633fb838a2179a7eb9410e2d4b79a86b98e931d8
-
Filesize
154B
MD59d7c17510bd9a7f5d147bba191ec8f3d
SHA15ea7ef7a2d6231ce9bc2e3579b62799e13e6a7fc
SHA256fde6a38b85d06cc994bab5f13548f4e6e045c26b727ba7ec387b52fcd721bdca
SHA5127e7bebedff0a353afd4fd012afee93368f76f7bfca036d60596039b02c7fc2005ccdf0fd8b2d0c4306ea2887633fb838a2179a7eb9410e2d4b79a86b98e931d8
-
Filesize
72KB
MD56ddcee176a864b67cd4cff577c28cdf1
SHA1c69292e4ec9128ccc4de351f39a48d1bd3f439e6
SHA2565bf8102edefe3e55a0e33207fdbf359f71477f70856745bc4e626cc72d498cd6
SHA5123482d4da78c96ca3d404d97547ee21ff1651339bb5ae01f107399705f6a73bbd26e1f0a0761b0625427373cc688812e43483774a754c1f9a0bce9ff16e322ff4
-
Filesize
72KB
MD56ddcee176a864b67cd4cff577c28cdf1
SHA1c69292e4ec9128ccc4de351f39a48d1bd3f439e6
SHA2565bf8102edefe3e55a0e33207fdbf359f71477f70856745bc4e626cc72d498cd6
SHA5123482d4da78c96ca3d404d97547ee21ff1651339bb5ae01f107399705f6a73bbd26e1f0a0761b0625427373cc688812e43483774a754c1f9a0bce9ff16e322ff4