Analysis
-
max time kernel
72s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
08-06-2023 12:28
Static task
static1
Behavioral task
behavioral1
Sample
70eaca68c13178818bb56a31bfc2ce4395a14e198a78cc1caf991480e19ea939.exe
Resource
win7-20230220-en
General
-
Target
70eaca68c13178818bb56a31bfc2ce4395a14e198a78cc1caf991480e19ea939.exe
-
Size
629KB
-
MD5
9ffc9a9e7bbfa15fa3fb73631d4ed9ef
-
SHA1
247c625f835a1e8a98fe40dbfbc72546d45cb205
-
SHA256
70eaca68c13178818bb56a31bfc2ce4395a14e198a78cc1caf991480e19ea939
-
SHA512
0fb6ca18528f7478e48d37c4a538764a046380495b9d8218b3f44a792f074f8139df41194a7f7653ab87cef70f910854f14618d187ce237fc936b716eae391a7
-
SSDEEP
12288:HKZ2B0xTGlxNqvNu2hZ+nUEsn96fTxkeRAPP1Xe2hIM/h6Nw/YPBwANFHcsy:HiLaVUH9990TxLK8M/8K4hN5jy
Malware Config
Extracted
asyncrat
0.5.7B
Default
95.214.27.44:6606
95.214.27.44:7707
95.214.27.44:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/1044-63-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1044-64-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1044-66-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1044-68-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1044-70-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1044-71-0x00000000006E0000-0x0000000000720000-memory.dmp asyncrat behavioral1/memory/1044-89-0x00000000006E0000-0x0000000000720000-memory.dmp asyncrat -
Suspicious use of SetThreadContext 1 IoCs
Processes:
70eaca68c13178818bb56a31bfc2ce4395a14e198a78cc1caf991480e19ea939.exedescription pid process target process PID 1704 set thread context of 1044 1704 70eaca68c13178818bb56a31bfc2ce4395a14e198a78cc1caf991480e19ea939.exe 70eaca68c13178818bb56a31bfc2ce4395a14e198a78cc1caf991480e19ea939.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
70eaca68c13178818bb56a31bfc2ce4395a14e198a78cc1caf991480e19ea939.exedescription pid process Token: SeDebugPrivilege 1044 70eaca68c13178818bb56a31bfc2ce4395a14e198a78cc1caf991480e19ea939.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
70eaca68c13178818bb56a31bfc2ce4395a14e198a78cc1caf991480e19ea939.exedescription pid process target process PID 1704 wrote to memory of 1044 1704 70eaca68c13178818bb56a31bfc2ce4395a14e198a78cc1caf991480e19ea939.exe 70eaca68c13178818bb56a31bfc2ce4395a14e198a78cc1caf991480e19ea939.exe PID 1704 wrote to memory of 1044 1704 70eaca68c13178818bb56a31bfc2ce4395a14e198a78cc1caf991480e19ea939.exe 70eaca68c13178818bb56a31bfc2ce4395a14e198a78cc1caf991480e19ea939.exe PID 1704 wrote to memory of 1044 1704 70eaca68c13178818bb56a31bfc2ce4395a14e198a78cc1caf991480e19ea939.exe 70eaca68c13178818bb56a31bfc2ce4395a14e198a78cc1caf991480e19ea939.exe PID 1704 wrote to memory of 1044 1704 70eaca68c13178818bb56a31bfc2ce4395a14e198a78cc1caf991480e19ea939.exe 70eaca68c13178818bb56a31bfc2ce4395a14e198a78cc1caf991480e19ea939.exe PID 1704 wrote to memory of 1044 1704 70eaca68c13178818bb56a31bfc2ce4395a14e198a78cc1caf991480e19ea939.exe 70eaca68c13178818bb56a31bfc2ce4395a14e198a78cc1caf991480e19ea939.exe PID 1704 wrote to memory of 1044 1704 70eaca68c13178818bb56a31bfc2ce4395a14e198a78cc1caf991480e19ea939.exe 70eaca68c13178818bb56a31bfc2ce4395a14e198a78cc1caf991480e19ea939.exe PID 1704 wrote to memory of 1044 1704 70eaca68c13178818bb56a31bfc2ce4395a14e198a78cc1caf991480e19ea939.exe 70eaca68c13178818bb56a31bfc2ce4395a14e198a78cc1caf991480e19ea939.exe PID 1704 wrote to memory of 1044 1704 70eaca68c13178818bb56a31bfc2ce4395a14e198a78cc1caf991480e19ea939.exe 70eaca68c13178818bb56a31bfc2ce4395a14e198a78cc1caf991480e19ea939.exe PID 1704 wrote to memory of 1044 1704 70eaca68c13178818bb56a31bfc2ce4395a14e198a78cc1caf991480e19ea939.exe 70eaca68c13178818bb56a31bfc2ce4395a14e198a78cc1caf991480e19ea939.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\70eaca68c13178818bb56a31bfc2ce4395a14e198a78cc1caf991480e19ea939.exe"C:\Users\Admin\AppData\Local\Temp\70eaca68c13178818bb56a31bfc2ce4395a14e198a78cc1caf991480e19ea939.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\70eaca68c13178818bb56a31bfc2ce4395a14e198a78cc1caf991480e19ea939.exe"C:\Users\Admin\AppData\Local\Temp\70eaca68c13178818bb56a31bfc2ce4395a14e198a78cc1caf991480e19ea939.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1044-66-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1044-61-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1044-62-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1044-89-0x00000000006E0000-0x0000000000720000-memory.dmpFilesize
256KB
-
memory/1044-63-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1044-71-0x00000000006E0000-0x0000000000720000-memory.dmpFilesize
256KB
-
memory/1044-70-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1044-64-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1044-68-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1044-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1704-59-0x00000000021C0000-0x000000000220E000-memory.dmpFilesize
312KB
-
memory/1704-58-0x0000000000470000-0x000000000047A000-memory.dmpFilesize
40KB
-
memory/1704-54-0x00000000009B0000-0x0000000000A54000-memory.dmpFilesize
656KB
-
memory/1704-56-0x0000000000430000-0x0000000000444000-memory.dmpFilesize
80KB
-
memory/1704-60-0x0000000000720000-0x0000000000734000-memory.dmpFilesize
80KB
-
memory/1704-55-0x0000000004DC0000-0x0000000004E00000-memory.dmpFilesize
256KB
-
memory/1704-57-0x0000000004DC0000-0x0000000004E00000-memory.dmpFilesize
256KB