Analysis
-
max time kernel
105s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
08/01/2024, 04:13
Behavioral task
behavioral1
Sample
4a68fda291581b91ef1b75893087dd08.exe
Resource
win7-20231215-en
General
-
Target
4a68fda291581b91ef1b75893087dd08.exe
-
Size
512KB
-
MD5
4a68fda291581b91ef1b75893087dd08
-
SHA1
4a53775d7b229a6641a8787ad95e78bd120059f9
-
SHA256
86519701b3ca3206d80200bd34376b6a8571cc630fdc6812d7ed0adee8679b45
-
SHA512
e2d2fb24042bdc05b713899c4d7446a3083fba4406b460c81caba6cb4d293712b86c6703e84ba3ad1770dee5fe22993d410979ba78422f2de614819cded456d1
-
SSDEEP
12288:Uhsl2HqZov6n4zexn8ILg6qDwoMwIgtoHZ:UhsYioWxndwwHZ
Malware Config
Signatures
-
Async RAT payload 6 IoCs
resource yara_rule behavioral1/memory/1656-0-0x0000000000BF0000-0x0000000000C76000-memory.dmp asyncrat behavioral1/files/0x0027000000014b38-41.dat asyncrat behavioral1/files/0x0027000000014b38-40.dat asyncrat behavioral1/files/0x0027000000014b38-39.dat asyncrat behavioral1/memory/2596-43-0x0000000000F60000-0x0000000000FE6000-memory.dmp asyncrat behavioral1/memory/2596-74-0x00000000053D0000-0x00000000054D0000-memory.dmp asyncrat -
Deletes itself 1 IoCs
pid Process 1816 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2596 OneDriveStandaloneAPIMethod.exe -
Loads dropped DLL 1 IoCs
pid Process 1816 cmd.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2380 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2636 timeout.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2596 OneDriveStandaloneAPIMethod.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe 1656 4a68fda291581b91ef1b75893087dd08.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1656 4a68fda291581b91ef1b75893087dd08.exe Token: SeDebugPrivilege 2596 OneDriveStandaloneAPIMethod.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1656 wrote to memory of 2380 1656 4a68fda291581b91ef1b75893087dd08.exe 28 PID 1656 wrote to memory of 2380 1656 4a68fda291581b91ef1b75893087dd08.exe 28 PID 1656 wrote to memory of 2380 1656 4a68fda291581b91ef1b75893087dd08.exe 28 PID 1656 wrote to memory of 2380 1656 4a68fda291581b91ef1b75893087dd08.exe 28 PID 1656 wrote to memory of 1816 1656 4a68fda291581b91ef1b75893087dd08.exe 29 PID 1656 wrote to memory of 1816 1656 4a68fda291581b91ef1b75893087dd08.exe 29 PID 1656 wrote to memory of 1816 1656 4a68fda291581b91ef1b75893087dd08.exe 29 PID 1656 wrote to memory of 1816 1656 4a68fda291581b91ef1b75893087dd08.exe 29 PID 1816 wrote to memory of 2596 1816 cmd.exe 31 PID 1816 wrote to memory of 2596 1816 cmd.exe 31 PID 1816 wrote to memory of 2596 1816 cmd.exe 31 PID 1816 wrote to memory of 2596 1816 cmd.exe 31 PID 1816 wrote to memory of 2636 1816 cmd.exe 30 PID 1816 wrote to memory of 2636 1816 cmd.exe 30 PID 1816 wrote to memory of 2636 1816 cmd.exe 30 PID 1816 wrote to memory of 2636 1816 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe"C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /tn OneDriveStandaloneAPIMethod /tr "C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe" /st 04:19 /du 23:59 /sc daily /ri 1 /f2⤵
- Creates scheduled task(s)
PID:2380
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp7DF6.tmp.bat""2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
PID:2636
-
-
C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe"C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
279B
MD5cb35875d3d49c494749f608f47da1bf1
SHA19b4e639846585e18f4e2c05a5908c2715aa821cc
SHA256574fe40c0b16f2a7d8d6443a8c5ff2041f4301c2dc38c77799a07b10f351acc2
SHA5121609c69e4e0467352220195775dc950a485a0c96d01bf49367b3c212cca1ed6892874bc857b9012dbf520a3a0b606943835a0bc77f51acf7a247cd7ffdf82702
-
Filesize
312KB
MD59bf60399eb6ada763a09879fe0e1ac0b
SHA155b70806e9351f717bd3c1db17de8cc3d53d9197
SHA256441c8b2f9a3d9b3357842aee281987fae602ee1608f71636cf1e0631190bdb07
SHA512ad54d64d8c516c6079ccf4eb5d6e860a1a73a30b55952990a6cc8117bd0847408db824edb3755d499880d50685ae568a3596ddc51ed2ad55c7a6c4978f5ceb9d
-
Filesize
511KB
MD5f2b7c86c43e9c59111495b8eb32b4814
SHA1acd449da5b483e81085235d1bf241d91bc176f3c
SHA2560624fda5f1c610ee12fd2283945ab37429a9d9231786e80a690cb34f015d0bba
SHA512c2714080b8431eb748418cc90375c67726056559e909330718a830ac0aeb9a600cd309508ad3796b93119407a258600cbec993993ad6e5745fbec10167bc9d90
-
Filesize
205KB
MD55e164d85341071c0a70af45a457448db
SHA1bf12ba1e64e15861f7f703ca5ab2479ffe61b87e
SHA256787a33c6062ef21a4ba06781848e98de5851ca9466387ddefd93d194426a2b43
SHA51259759db62bc8267530ff8912e831870ca5c034f197dc9ec7bde0eb75555730d688ca5488fd6e701ceca3675fa1efe8f41625baa24d0153295254f13b082b5ae9