Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2024, 04:13
Behavioral task
behavioral1
Sample
4a68fda291581b91ef1b75893087dd08.exe
Resource
win7-20231215-en
General
-
Target
4a68fda291581b91ef1b75893087dd08.exe
-
Size
512KB
-
MD5
4a68fda291581b91ef1b75893087dd08
-
SHA1
4a53775d7b229a6641a8787ad95e78bd120059f9
-
SHA256
86519701b3ca3206d80200bd34376b6a8571cc630fdc6812d7ed0adee8679b45
-
SHA512
e2d2fb24042bdc05b713899c4d7446a3083fba4406b460c81caba6cb4d293712b86c6703e84ba3ad1770dee5fe22993d410979ba78422f2de614819cded456d1
-
SSDEEP
12288:Uhsl2HqZov6n4zexn8ILg6qDwoMwIgtoHZ:UhsYioWxndwwHZ
Malware Config
Signatures
-
Async RAT payload 3 IoCs
resource yara_rule behavioral2/memory/4304-1-0x0000000000410000-0x0000000000496000-memory.dmp asyncrat behavioral2/files/0x0008000000023227-17.dat asyncrat behavioral2/files/0x0008000000023227-18.dat asyncrat -
Executes dropped EXE 1 IoCs
pid Process 1616 OneDriveStandaloneAPIMethod.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4456 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3112 timeout.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1616 OneDriveStandaloneAPIMethod.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 4304 4a68fda291581b91ef1b75893087dd08.exe 1616 OneDriveStandaloneAPIMethod.exe 1616 OneDriveStandaloneAPIMethod.exe 1616 OneDriveStandaloneAPIMethod.exe 1616 OneDriveStandaloneAPIMethod.exe 1616 OneDriveStandaloneAPIMethod.exe 1616 OneDriveStandaloneAPIMethod.exe 1616 OneDriveStandaloneAPIMethod.exe 1616 OneDriveStandaloneAPIMethod.exe 1616 OneDriveStandaloneAPIMethod.exe 1616 OneDriveStandaloneAPIMethod.exe 1616 OneDriveStandaloneAPIMethod.exe 1616 OneDriveStandaloneAPIMethod.exe 1616 OneDriveStandaloneAPIMethod.exe 1616 OneDriveStandaloneAPIMethod.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4304 4a68fda291581b91ef1b75893087dd08.exe Token: SeDebugPrivilege 1616 OneDriveStandaloneAPIMethod.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4304 wrote to memory of 4456 4304 4a68fda291581b91ef1b75893087dd08.exe 92 PID 4304 wrote to memory of 4456 4304 4a68fda291581b91ef1b75893087dd08.exe 92 PID 4304 wrote to memory of 4456 4304 4a68fda291581b91ef1b75893087dd08.exe 92 PID 4304 wrote to memory of 4708 4304 4a68fda291581b91ef1b75893087dd08.exe 94 PID 4304 wrote to memory of 4708 4304 4a68fda291581b91ef1b75893087dd08.exe 94 PID 4304 wrote to memory of 4708 4304 4a68fda291581b91ef1b75893087dd08.exe 94 PID 4708 wrote to memory of 1616 4708 cmd.exe 96 PID 4708 wrote to memory of 1616 4708 cmd.exe 96 PID 4708 wrote to memory of 1616 4708 cmd.exe 96 PID 4708 wrote to memory of 3112 4708 cmd.exe 101 PID 4708 wrote to memory of 3112 4708 cmd.exe 101 PID 4708 wrote to memory of 3112 4708 cmd.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe"C:\Users\Admin\AppData\Local\Temp\4a68fda291581b91ef1b75893087dd08.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /tn OneDriveStandaloneAPIMethod /tr "C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe" /st 04:19 /du 23:59 /sc daily /ri 1 /f2⤵
- Creates scheduled task(s)
PID:4456
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7947.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe"C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616
-
-
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
PID:3112
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
279B
MD55646ffca9010fadeea65508fc0557edd
SHA1a4325bc8b7ca669d83a0173a750643125541d834
SHA25668b44af97ee56aee4140dfdbbead2be90ac79578fe9d7576d5b4a0ca34143891
SHA51230488a46bde56da0195de8b07d832d206ef6fd9b06565680a62ad723c87b43eb876888b73f59a16e3a8da688d11275ef9311ff7b40a67df13feb19f4a838d8b9
-
Filesize
1.1MB
MD55bad497a650b57df343a8cc83d8d57d7
SHA199771baf8d1fb0b0240e9ffcf12072c86e9ae8fd
SHA2562b0d55b46ce45dc7dd72e4fd2b8b865631176287d61e4a2605dc639fd094e38d
SHA5120e5cc01aa02c25beddd1e8539052bb23ea858654157a56c5edc6301be8b8569b0040e70d57e1a108ce3b85b2ef2d22691992a4198b9d884b30cf1aa17bf2d536
-
Filesize
1.3MB
MD5cb01007b07d95b1afe254e4d3accea10
SHA1d451fe4bb32783bbe3f0f3d265785e580fc76b98
SHA256ee7934efa11464f331c0af599a0d758ca773432183c38cc0ac5a4b4a56c536ac
SHA512935808305b980b4c41e3cdd51631cd1f44964dd3b0709716f956b75f39604193029bfc8443579eb426ba66c5f053e10b69d45f66e15ee69088431c6c535dd2f4