Analysis
-
max time kernel
105s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05/05/2023, 01:30
Behavioral task
behavioral1
Sample
1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe
Resource
win7-20230220-en
General
-
Target
1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe
-
Size
72KB
-
MD5
6ddcee176a864b67cd4cff577c28cdf1
-
SHA1
c69292e4ec9128ccc4de351f39a48d1bd3f439e6
-
SHA256
5bf8102edefe3e55a0e33207fdbf359f71477f70856745bc4e626cc72d498cd6
-
SHA512
3482d4da78c96ca3d404d97547ee21ff1651339bb5ae01f107399705f6a73bbd26e1f0a0761b0625427373cc688812e43483774a754c1f9a0bce9ff16e322ff4
-
SSDEEP
768:8oXyvMOgs2/W4G9mxNf13wRCn1OCDyjb5gr3irIWSpo7niClZR2tYcFmVc6K:8oX4MOg/PAUVebWrSvSpurRKmVcl
Malware Config
Extracted
asyncrat
0.5.6D
Default
seznam.zapto.org:6606
seznam.zapto.org:7707
seznam.zapto.org:8808
milla.publicvm.com:6606
milla.publicvm.com:7707
milla.publicvm.com:8808
ycwqfldbyykswbufnmb
-
delay
5
-
install
true
-
install_file
microsafte.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 3 IoCs
resource yara_rule behavioral2/memory/1860-133-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral2/files/0x0003000000000731-141.dat asyncrat behavioral2/files/0x0003000000000731-142.dat asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation 1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe -
Executes dropped EXE 1 IoCs
pid Process 4636 microsafte.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2208 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 548 timeout.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 1860 1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe 1860 1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe 1860 1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe 1860 1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe 1860 1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe 1860 1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe 1860 1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe 1860 1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe 1860 1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe 1860 1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe 1860 1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe 1860 1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe 1860 1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe 1860 1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe 1860 1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe 1860 1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe 1860 1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe 1860 1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe 1860 1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe 1860 1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe 1860 1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe 1860 1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe 1860 1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe 1860 1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe 1860 1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1860 1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe Token: SeDebugPrivilege 4636 microsafte.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1860 wrote to memory of 408 1860 1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe 88 PID 1860 wrote to memory of 408 1860 1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe 88 PID 1860 wrote to memory of 536 1860 1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe 90 PID 1860 wrote to memory of 536 1860 1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe 90 PID 408 wrote to memory of 2208 408 cmd.exe 92 PID 408 wrote to memory of 2208 408 cmd.exe 92 PID 536 wrote to memory of 548 536 cmd.exe 93 PID 536 wrote to memory of 548 536 cmd.exe 93 PID 536 wrote to memory of 4636 536 cmd.exe 95 PID 536 wrote to memory of 4636 536 cmd.exe 95 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe"C:\Users\Admin\AppData\Local\Temp\1444-55-0x00000000003B0000-0x00000000003C2000-memory.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /ru system /rl highest /tn 1444-55-0x00000000003B0000-0x00000000003C2000-memory /tr '"C:\Users\Admin\AppData\Roaming\microsafte.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /ru system /rl highest /tn 1444-55-0x00000000003B0000-0x00000000003C2000-memory /tr '"C:\Users\Admin\AppData\Roaming\microsafte.exe"'3⤵
- Creates scheduled task(s)
PID:2208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpADC9.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:548
-
-
C:\Users\Admin\AppData\Roaming\microsafte.exe"C:\Users\Admin\AppData\Roaming\microsafte.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4636
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
154B
MD5a327a7f9ff829be015430ee0c856bddb
SHA17d592d6631f0ecd5027cf19cb88394596772916b
SHA2561050a92e426b92361021e37404a0a27efcc5c0b61c929cc11271c7d6f14fdef0
SHA51262ce1bd63ec3efb88036f17e142235407fa0c17c689365f88b375d25e70706941bf9232d75a173c68775179a67a45ff5ca88a5d4a5b83036caa595ab41466bfe
-
Filesize
72KB
MD56ddcee176a864b67cd4cff577c28cdf1
SHA1c69292e4ec9128ccc4de351f39a48d1bd3f439e6
SHA2565bf8102edefe3e55a0e33207fdbf359f71477f70856745bc4e626cc72d498cd6
SHA5123482d4da78c96ca3d404d97547ee21ff1651339bb5ae01f107399705f6a73bbd26e1f0a0761b0625427373cc688812e43483774a754c1f9a0bce9ff16e322ff4
-
Filesize
72KB
MD56ddcee176a864b67cd4cff577c28cdf1
SHA1c69292e4ec9128ccc4de351f39a48d1bd3f439e6
SHA2565bf8102edefe3e55a0e33207fdbf359f71477f70856745bc4e626cc72d498cd6
SHA5123482d4da78c96ca3d404d97547ee21ff1651339bb5ae01f107399705f6a73bbd26e1f0a0761b0625427373cc688812e43483774a754c1f9a0bce9ff16e322ff4