Analysis
-
max time kernel
38s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
05/05/2023, 01:29
Behavioral task
behavioral1
Sample
1240-55-0x0000000000370000-0x0000000000382000-memory.exe
Resource
win7-20230220-en
General
-
Target
1240-55-0x0000000000370000-0x0000000000382000-memory.exe
-
Size
72KB
-
MD5
6ddcee176a864b67cd4cff577c28cdf1
-
SHA1
c69292e4ec9128ccc4de351f39a48d1bd3f439e6
-
SHA256
5bf8102edefe3e55a0e33207fdbf359f71477f70856745bc4e626cc72d498cd6
-
SHA512
3482d4da78c96ca3d404d97547ee21ff1651339bb5ae01f107399705f6a73bbd26e1f0a0761b0625427373cc688812e43483774a754c1f9a0bce9ff16e322ff4
-
SSDEEP
768:8oXyvMOgs2/W4G9mxNf13wRCn1OCDyjb5gr3irIWSpo7niClZR2tYcFmVc6K:8oX4MOg/PAUVebWrSvSpurRKmVcl
Malware Config
Extracted
asyncrat
0.5.6D
Default
seznam.zapto.org:6606
seznam.zapto.org:7707
seznam.zapto.org:8808
milla.publicvm.com:6606
milla.publicvm.com:7707
milla.publicvm.com:8808
ycwqfldbyykswbufnmb
-
delay
5
-
install
true
-
install_file
microsafte.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 5 IoCs
resource yara_rule behavioral1/memory/2016-54-0x0000000001080000-0x0000000001092000-memory.dmp asyncrat behavioral1/files/0x000a00000001235a-66.dat asyncrat behavioral1/files/0x000a00000001235a-67.dat asyncrat behavioral1/memory/1544-68-0x0000000000A50000-0x0000000000A62000-memory.dmp asyncrat behavioral1/memory/1544-69-0x000000001B1D0000-0x000000001B250000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
pid Process 1544 microsafte.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1876 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 812 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2016 1240-55-0x0000000000370000-0x0000000000382000-memory.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2016 1240-55-0x0000000000370000-0x0000000000382000-memory.exe Token: SeDebugPrivilege 1544 microsafte.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2016 wrote to memory of 516 2016 1240-55-0x0000000000370000-0x0000000000382000-memory.exe 27 PID 2016 wrote to memory of 516 2016 1240-55-0x0000000000370000-0x0000000000382000-memory.exe 27 PID 2016 wrote to memory of 516 2016 1240-55-0x0000000000370000-0x0000000000382000-memory.exe 27 PID 2016 wrote to memory of 1432 2016 1240-55-0x0000000000370000-0x0000000000382000-memory.exe 29 PID 2016 wrote to memory of 1432 2016 1240-55-0x0000000000370000-0x0000000000382000-memory.exe 29 PID 2016 wrote to memory of 1432 2016 1240-55-0x0000000000370000-0x0000000000382000-memory.exe 29 PID 516 wrote to memory of 1876 516 cmd.exe 31 PID 516 wrote to memory of 1876 516 cmd.exe 31 PID 516 wrote to memory of 1876 516 cmd.exe 31 PID 1432 wrote to memory of 812 1432 cmd.exe 32 PID 1432 wrote to memory of 812 1432 cmd.exe 32 PID 1432 wrote to memory of 812 1432 cmd.exe 32 PID 1432 wrote to memory of 1544 1432 cmd.exe 33 PID 1432 wrote to memory of 1544 1432 cmd.exe 33 PID 1432 wrote to memory of 1544 1432 cmd.exe 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe"C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /ru system /rl highest /tn 1240-55-0x0000000000370000-0x0000000000382000-memory /tr '"C:\Users\Admin\AppData\Roaming\microsafte.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /ru system /rl highest /tn 1240-55-0x0000000000370000-0x0000000000382000-memory /tr '"C:\Users\Admin\AppData\Roaming\microsafte.exe"'3⤵
- Creates scheduled task(s)
PID:1876
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp45F7.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:812
-
-
C:\Users\Admin\AppData\Roaming\microsafte.exe"C:\Users\Admin\AppData\Roaming\microsafte.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1544
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
154B
MD5f1379a15061e6b5df40db3da283bff5b
SHA151ac1db18747ada4cdef9ffe38ed1af4a4133671
SHA25634f58e05abbda98901492e9153408bf3996c024d3b2eb3a4262d64a207332fdb
SHA51271265fce9479f8206683249c4e9af66e765f0ebf0ee67fb6f582e443f51d39b46944799bf9319dce8bef8ef299f3dbab6b15ad7e2add814a60a05ea9d969ec57
-
Filesize
154B
MD5f1379a15061e6b5df40db3da283bff5b
SHA151ac1db18747ada4cdef9ffe38ed1af4a4133671
SHA25634f58e05abbda98901492e9153408bf3996c024d3b2eb3a4262d64a207332fdb
SHA51271265fce9479f8206683249c4e9af66e765f0ebf0ee67fb6f582e443f51d39b46944799bf9319dce8bef8ef299f3dbab6b15ad7e2add814a60a05ea9d969ec57
-
Filesize
72KB
MD56ddcee176a864b67cd4cff577c28cdf1
SHA1c69292e4ec9128ccc4de351f39a48d1bd3f439e6
SHA2565bf8102edefe3e55a0e33207fdbf359f71477f70856745bc4e626cc72d498cd6
SHA5123482d4da78c96ca3d404d97547ee21ff1651339bb5ae01f107399705f6a73bbd26e1f0a0761b0625427373cc688812e43483774a754c1f9a0bce9ff16e322ff4
-
Filesize
72KB
MD56ddcee176a864b67cd4cff577c28cdf1
SHA1c69292e4ec9128ccc4de351f39a48d1bd3f439e6
SHA2565bf8102edefe3e55a0e33207fdbf359f71477f70856745bc4e626cc72d498cd6
SHA5123482d4da78c96ca3d404d97547ee21ff1651339bb5ae01f107399705f6a73bbd26e1f0a0761b0625427373cc688812e43483774a754c1f9a0bce9ff16e322ff4