Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
26-11-2023 16:58
Static task
static1
Behavioral task
behavioral1
Sample
b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exe
Resource
win7-20231020-en
General
-
Target
b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exe
-
Size
1.4MB
-
MD5
1d3c46705beab45cb1b080ff24d4549e
-
SHA1
8ebd8e1ffa610939943284daafaeb1e27f35e988
-
SHA256
b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8
-
SHA512
37e93589c7c01f276d0e34875a06c787006db24e8ba458ac0d21f434252b169eb30d7c5f5e008f1b1a57f1d7829c39d49495c4f7b96e66d6c4aa2d49fc477d36
-
SSDEEP
24576:AmJMORe2zOUaltm9yU0Wd/qcU714D++PdQ+WhOCayUNo9X+aBjJVI1OyJ/:9+Ge2zhaltm9yvcUD4wkyUc7HH
Malware Config
Extracted
asyncrat
0.5.8
Update
6.tcp.eu.ngrok.io:18488
bQQYBRR46lgR
-
delay
3
-
install
true
-
install_file
Update.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1072-2-0x0000000000C20000-0x000000000102E000-memory.dmp asyncrat behavioral1/memory/1072-14-0x0000000000C20000-0x000000000102E000-memory.dmp asyncrat behavioral1/memory/2600-21-0x0000000000240000-0x000000000064E000-memory.dmp asyncrat behavioral1/memory/2600-23-0x0000000000240000-0x000000000064E000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
Processes:
Update.exepid process 2600 Update.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 3012 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
Processes:
b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exeUpdate.exepid process 1072 b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exe 1072 b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exe 2600 Update.exe 2600 Update.exe 2600 Update.exe 2600 Update.exe 2600 Update.exe 2600 Update.exe 2600 Update.exe 2600 Update.exe 2600 Update.exe 2600 Update.exe 2600 Update.exe 2600 Update.exe 2600 Update.exe 2600 Update.exe 2600 Update.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3000 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exeUpdate.exepid process 1072 b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exe 1072 b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exe 1072 b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exe 2600 Update.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exeUpdate.exedescription pid process Token: SeDebugPrivilege 1072 b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exe Token: SeDebugPrivilege 2600 Update.exe Token: SeDebugPrivilege 2600 Update.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exeUpdate.exepid process 1072 b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exe 2600 Update.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.execmd.execmd.exedescription pid process target process PID 1072 wrote to memory of 2708 1072 b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exe cmd.exe PID 1072 wrote to memory of 2708 1072 b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exe cmd.exe PID 1072 wrote to memory of 2708 1072 b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exe cmd.exe PID 1072 wrote to memory of 2708 1072 b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exe cmd.exe PID 1072 wrote to memory of 3012 1072 b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exe cmd.exe PID 1072 wrote to memory of 3012 1072 b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exe cmd.exe PID 1072 wrote to memory of 3012 1072 b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exe cmd.exe PID 1072 wrote to memory of 3012 1072 b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exe cmd.exe PID 2708 wrote to memory of 1420 2708 cmd.exe schtasks.exe PID 2708 wrote to memory of 1420 2708 cmd.exe schtasks.exe PID 2708 wrote to memory of 1420 2708 cmd.exe schtasks.exe PID 2708 wrote to memory of 1420 2708 cmd.exe schtasks.exe PID 3012 wrote to memory of 3000 3012 cmd.exe timeout.exe PID 3012 wrote to memory of 3000 3012 cmd.exe timeout.exe PID 3012 wrote to memory of 3000 3012 cmd.exe timeout.exe PID 3012 wrote to memory of 3000 3012 cmd.exe timeout.exe PID 3012 wrote to memory of 2600 3012 cmd.exe Update.exe PID 3012 wrote to memory of 2600 3012 cmd.exe Update.exe PID 3012 wrote to memory of 2600 3012 cmd.exe Update.exe PID 3012 wrote to memory of 2600 3012 cmd.exe Update.exe PID 3012 wrote to memory of 2600 3012 cmd.exe Update.exe PID 3012 wrote to memory of 2600 3012 cmd.exe Update.exe PID 3012 wrote to memory of 2600 3012 cmd.exe Update.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exe"C:\Users\Admin\AppData\Local\Temp\b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Update" /tr '"C:\Users\Admin\AppData\Roaming\Update.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Update" /tr '"C:\Users\Admin\AppData\Roaming\Update.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp6D05.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\Update.exe"C:\Users\Admin\AppData\Roaming\Update.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CabB492.tmpFilesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
C:\Users\Admin\AppData\Local\Temp\tmp6D05.tmp.batFilesize
150B
MD573b1c8e5cc494f02e4f799c4dace21a2
SHA1f15ca712a8839176dc05979cbe6f5cd3ea7ad062
SHA25687569de0bbf09592509ade17ac0ba248209e130b8940ea04968977cdddcbee62
SHA512746fab8579ce3fc8b3ba34bba392e10edb86dee70327eded3b572b00b97d04955a5c834fd43ca4a0dec6801a21a760fc043105e8ea08e00011b98e50018e7421
-
C:\Users\Admin\AppData\Local\Temp\tmp6D05.tmp.batFilesize
150B
MD573b1c8e5cc494f02e4f799c4dace21a2
SHA1f15ca712a8839176dc05979cbe6f5cd3ea7ad062
SHA25687569de0bbf09592509ade17ac0ba248209e130b8940ea04968977cdddcbee62
SHA512746fab8579ce3fc8b3ba34bba392e10edb86dee70327eded3b572b00b97d04955a5c834fd43ca4a0dec6801a21a760fc043105e8ea08e00011b98e50018e7421
-
C:\Users\Admin\AppData\Roaming\Update.exeFilesize
1.4MB
MD51d3c46705beab45cb1b080ff24d4549e
SHA18ebd8e1ffa610939943284daafaeb1e27f35e988
SHA256b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8
SHA51237e93589c7c01f276d0e34875a06c787006db24e8ba458ac0d21f434252b169eb30d7c5f5e008f1b1a57f1d7829c39d49495c4f7b96e66d6c4aa2d49fc477d36
-
C:\Users\Admin\AppData\Roaming\Update.exeFilesize
1.4MB
MD51d3c46705beab45cb1b080ff24d4549e
SHA18ebd8e1ffa610939943284daafaeb1e27f35e988
SHA256b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8
SHA51237e93589c7c01f276d0e34875a06c787006db24e8ba458ac0d21f434252b169eb30d7c5f5e008f1b1a57f1d7829c39d49495c4f7b96e66d6c4aa2d49fc477d36
-
\Users\Admin\AppData\Roaming\Update.exeFilesize
1.4MB
MD51d3c46705beab45cb1b080ff24d4549e
SHA18ebd8e1ffa610939943284daafaeb1e27f35e988
SHA256b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8
SHA51237e93589c7c01f276d0e34875a06c787006db24e8ba458ac0d21f434252b169eb30d7c5f5e008f1b1a57f1d7829c39d49495c4f7b96e66d6c4aa2d49fc477d36
-
memory/1072-0-0x0000000000C20000-0x000000000102E000-memory.dmpFilesize
4.1MB
-
memory/1072-1-0x0000000074370000-0x0000000074A5E000-memory.dmpFilesize
6.9MB
-
memory/1072-2-0x0000000000C20000-0x000000000102E000-memory.dmpFilesize
4.1MB
-
memory/1072-3-0x00000000052B0000-0x00000000052F0000-memory.dmpFilesize
256KB
-
memory/1072-14-0x0000000000C20000-0x000000000102E000-memory.dmpFilesize
4.1MB
-
memory/1072-15-0x0000000074370000-0x0000000074A5E000-memory.dmpFilesize
6.9MB
-
memory/2600-23-0x0000000000240000-0x000000000064E000-memory.dmpFilesize
4.1MB
-
memory/2600-21-0x0000000000240000-0x000000000064E000-memory.dmpFilesize
4.1MB
-
memory/2600-22-0x0000000073280000-0x000000007396E000-memory.dmpFilesize
6.9MB
-
memory/2600-20-0x0000000000240000-0x000000000064E000-memory.dmpFilesize
4.1MB
-
memory/2600-24-0x0000000005110000-0x0000000005150000-memory.dmpFilesize
256KB
-
memory/2600-43-0x0000000000240000-0x000000000064E000-memory.dmpFilesize
4.1MB
-
memory/2600-44-0x0000000073280000-0x000000007396E000-memory.dmpFilesize
6.9MB
-
memory/2600-45-0x0000000005110000-0x0000000005150000-memory.dmpFilesize
256KB
-
memory/3012-18-0x0000000002050000-0x000000000245E000-memory.dmpFilesize
4.1MB