Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
21/01/2024, 17:27
Static task
static1
Behavioral task
behavioral1
Sample
6d9b118979f1159246f3d37754ab0649.exe
Resource
win7-20231129-en
General
-
Target
6d9b118979f1159246f3d37754ab0649.exe
-
Size
692KB
-
MD5
6d9b118979f1159246f3d37754ab0649
-
SHA1
7b5c81b2b38bdd2cca9ba1d629a8b5b09e11ba89
-
SHA256
996b38a634ab861ffe4a65ad2b3657b45ffdbf06c595a45ab1acd5115538aab6
-
SHA512
20b027005e18c3e8acaed8c3601d583a3d2de18377793be08c290328d8c08b4e696df192d0ee6af6f09f05ca309b67978ea9baaf91486bd641f24c04ccea42f3
-
SSDEEP
6144:aVRVD4B0CzxknMYPA1jfhpBMk5DRwtiu4pMvRbVFU5y3mt3pCfRNW27Bq+3QYo2D:+RN46uxkn5PRp53mQpNl7HAN2iNW
Malware Config
Extracted
asyncrat
0.5.7B
Default
podzeye.duckdns.org:4422
podzeye.duckdns.org:4442
podzeye.duckdns.org:4433
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 6 IoCs
resource yara_rule behavioral1/memory/2480-17-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/2480-18-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/2480-22-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/2480-24-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/2480-26-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/2480-29-0x0000000000BD0000-0x0000000000C10000-memory.dmp asyncrat -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1704 set thread context of 2480 1704 6d9b118979f1159246f3d37754ab0649.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2508 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1704 6d9b118979f1159246f3d37754ab0649.exe Token: SeDebugPrivilege 2480 6d9b118979f1159246f3d37754ab0649.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1704 wrote to memory of 2508 1704 6d9b118979f1159246f3d37754ab0649.exe 30 PID 1704 wrote to memory of 2508 1704 6d9b118979f1159246f3d37754ab0649.exe 30 PID 1704 wrote to memory of 2508 1704 6d9b118979f1159246f3d37754ab0649.exe 30 PID 1704 wrote to memory of 2508 1704 6d9b118979f1159246f3d37754ab0649.exe 30 PID 1704 wrote to memory of 2480 1704 6d9b118979f1159246f3d37754ab0649.exe 32 PID 1704 wrote to memory of 2480 1704 6d9b118979f1159246f3d37754ab0649.exe 32 PID 1704 wrote to memory of 2480 1704 6d9b118979f1159246f3d37754ab0649.exe 32 PID 1704 wrote to memory of 2480 1704 6d9b118979f1159246f3d37754ab0649.exe 32 PID 1704 wrote to memory of 2480 1704 6d9b118979f1159246f3d37754ab0649.exe 32 PID 1704 wrote to memory of 2480 1704 6d9b118979f1159246f3d37754ab0649.exe 32 PID 1704 wrote to memory of 2480 1704 6d9b118979f1159246f3d37754ab0649.exe 32 PID 1704 wrote to memory of 2480 1704 6d9b118979f1159246f3d37754ab0649.exe 32 PID 1704 wrote to memory of 2480 1704 6d9b118979f1159246f3d37754ab0649.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d9b118979f1159246f3d37754ab0649.exe"C:\Users\Admin\AppData\Local\Temp\6d9b118979f1159246f3d37754ab0649.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RNveAQv" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD20E.tmp"2⤵
- Creates scheduled task(s)
PID:2508
-
-
C:\Users\Admin\AppData\Local\Temp\6d9b118979f1159246f3d37754ab0649.exe"C:\Users\Admin\AppData\Local\Temp\6d9b118979f1159246f3d37754ab0649.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2480
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57eafdde8e9c04fdb7131c7efb3486864
SHA121ad676658e0228ffe29a46db1f4740b3e70b296
SHA25671f1ebb481418acb98265caccb37c936f2e71141d184e4ae09b76a7f3c171390
SHA512b6cb5cb628ec8377c6060f82e04f2bb93237bf48ce64d5a5ff1e0a79befcf887c16f53537dd268addb32ceece576726cb2e60dd6066f551beb0d24d16fdc2e00