Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
30/06/2023, 07:10
General
-
Target
Infected.exe
-
Size
209KB
-
MD5
7b009164d0eedb682716bb6c97d97603
-
SHA1
8e94ab5ad0ff41ba02b10095bd3ea9f06c0a3035
-
SHA256
940942b06d32a3f72fe1d6d8bb0885d4412de9ecee1d76a40a43ee4961ce52f1
-
SHA512
cb8e6620bdd52ce49b689e73fdd8e1d8b9273fc307c6a2df49fe3666a410581b5b65db6268cc0f70c61923381255d9617d7c314ce437d9f89d8a4d67dbf5b513
-
SSDEEP
3072:dTHYYUbdq3hLKKKKKU8AAFTbp8ELQHsoOJNuYnZIWH2qWUwZr+EM4EIGKEc6iZjC:6LbXfJXnIZOr
Malware Config
Extracted
asyncrat
Default
209.205.141.181:39858
Fv杰tgקbaIOvCΗרק5ΘM7杰LF
-
delay
8
-
install
true
-
install_file
revitool.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 6 IoCs
resource yara_rule behavioral1/memory/1060-54-0x0000000000B10000-0x0000000000B4A000-memory.dmp asyncrat behavioral1/files/0x000a000000013a0a-66.dat asyncrat behavioral1/files/0x000a000000013a0a-67.dat asyncrat behavioral1/memory/1432-68-0x0000000000270000-0x00000000002AA000-memory.dmp asyncrat behavioral1/memory/1432-69-0x000000001B180000-0x000000001B200000-memory.dmp asyncrat behavioral1/memory/632-71-0x0000000140000000-0x00000001405E8000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
pid Process 1432 revitool.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 392 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1456 timeout.exe -
Suspicious behavior: EnumeratesProcesses 47 IoCs
pid Process 1060 Infected.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 632 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1060 Infected.exe Token: SeDebugPrivilege 1060 Infected.exe Token: SeDebugPrivilege 1432 revitool.exe Token: SeDebugPrivilege 1432 revitool.exe Token: SeDebugPrivilege 632 taskmgr.exe -
Suspicious use of FindShellTrayWindow 58 IoCs
pid Process 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe -
Suspicious use of SendNotifyMessage 58 IoCs
pid Process 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe 632 taskmgr.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1060 wrote to memory of 992 1060 Infected.exe 28 PID 1060 wrote to memory of 992 1060 Infected.exe 28 PID 1060 wrote to memory of 992 1060 Infected.exe 28 PID 1060 wrote to memory of 1848 1060 Infected.exe 30 PID 1060 wrote to memory of 1848 1060 Infected.exe 30 PID 1060 wrote to memory of 1848 1060 Infected.exe 30 PID 992 wrote to memory of 392 992 cmd.exe 32 PID 992 wrote to memory of 392 992 cmd.exe 32 PID 992 wrote to memory of 392 992 cmd.exe 32 PID 1848 wrote to memory of 1456 1848 cmd.exe 33 PID 1848 wrote to memory of 1456 1848 cmd.exe 33 PID 1848 wrote to memory of 1456 1848 cmd.exe 33 PID 1848 wrote to memory of 1432 1848 cmd.exe 34 PID 1848 wrote to memory of 1432 1848 cmd.exe 34 PID 1848 wrote to memory of 1432 1848 cmd.exe 34 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Infected.exe"C:\Users\Admin\AppData\Local\Temp\Infected.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "revitool" /tr '"C:\Users\Admin\AppData\Roaming\revitool.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "revitool" /tr '"C:\Users\Admin\AppData\Roaming\revitool.exe"'3⤵
- Creates scheduled task(s)
PID:392
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4F1B.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:1456
-
-
C:\Users\Admin\AppData\Roaming\revitool.exe"C:\Users\Admin\AppData\Roaming\revitool.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1432
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:632
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5fe11de1613fd791513c0d09d7ecef919
SHA1c416c65285dd66582d7d4ee7803f1746373d5035
SHA25667b9973d5379535b41e794f58a89398cad5e3acde5250434882a617d09f583ac
SHA5122aade0f81f26cf1d5dfba91deeb0ded0b3e83787544816f553d37fdf74c3268214e130a123de5b89d9168fe7b1d8454cc576eff10a31fa73c7b47b21fa40fc02
-
Filesize
152B
MD5fe11de1613fd791513c0d09d7ecef919
SHA1c416c65285dd66582d7d4ee7803f1746373d5035
SHA25667b9973d5379535b41e794f58a89398cad5e3acde5250434882a617d09f583ac
SHA5122aade0f81f26cf1d5dfba91deeb0ded0b3e83787544816f553d37fdf74c3268214e130a123de5b89d9168fe7b1d8454cc576eff10a31fa73c7b47b21fa40fc02
-
Filesize
209KB
MD57b009164d0eedb682716bb6c97d97603
SHA18e94ab5ad0ff41ba02b10095bd3ea9f06c0a3035
SHA256940942b06d32a3f72fe1d6d8bb0885d4412de9ecee1d76a40a43ee4961ce52f1
SHA512cb8e6620bdd52ce49b689e73fdd8e1d8b9273fc307c6a2df49fe3666a410581b5b65db6268cc0f70c61923381255d9617d7c314ce437d9f89d8a4d67dbf5b513
-
Filesize
209KB
MD57b009164d0eedb682716bb6c97d97603
SHA18e94ab5ad0ff41ba02b10095bd3ea9f06c0a3035
SHA256940942b06d32a3f72fe1d6d8bb0885d4412de9ecee1d76a40a43ee4961ce52f1
SHA512cb8e6620bdd52ce49b689e73fdd8e1d8b9273fc307c6a2df49fe3666a410581b5b65db6268cc0f70c61923381255d9617d7c314ce437d9f89d8a4d67dbf5b513