Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
21/01/2024, 17:27
Static task
static1
Behavioral task
behavioral1
Sample
6d9b118979f1159246f3d37754ab0649.exe
Resource
win7-20231129-en
General
-
Target
6d9b118979f1159246f3d37754ab0649.exe
-
Size
692KB
-
MD5
6d9b118979f1159246f3d37754ab0649
-
SHA1
7b5c81b2b38bdd2cca9ba1d629a8b5b09e11ba89
-
SHA256
996b38a634ab861ffe4a65ad2b3657b45ffdbf06c595a45ab1acd5115538aab6
-
SHA512
20b027005e18c3e8acaed8c3601d583a3d2de18377793be08c290328d8c08b4e696df192d0ee6af6f09f05ca309b67978ea9baaf91486bd641f24c04ccea42f3
-
SSDEEP
6144:aVRVD4B0CzxknMYPA1jfhpBMk5DRwtiu4pMvRbVFU5y3mt3pCfRNW27Bq+3QYo2D:+RN46uxkn5PRp53mQpNl7HAN2iNW
Malware Config
Extracted
asyncrat
0.5.7B
Default
podzeye.duckdns.org:4422
podzeye.duckdns.org:4442
podzeye.duckdns.org:4433
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/2244-18-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation 6d9b118979f1159246f3d37754ab0649.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3464 set thread context of 2244 3464 6d9b118979f1159246f3d37754ab0649.exe 99 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2376 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3464 6d9b118979f1159246f3d37754ab0649.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3464 6d9b118979f1159246f3d37754ab0649.exe Token: SeDebugPrivilege 2244 6d9b118979f1159246f3d37754ab0649.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3464 wrote to memory of 2376 3464 6d9b118979f1159246f3d37754ab0649.exe 97 PID 3464 wrote to memory of 2376 3464 6d9b118979f1159246f3d37754ab0649.exe 97 PID 3464 wrote to memory of 2376 3464 6d9b118979f1159246f3d37754ab0649.exe 97 PID 3464 wrote to memory of 2244 3464 6d9b118979f1159246f3d37754ab0649.exe 99 PID 3464 wrote to memory of 2244 3464 6d9b118979f1159246f3d37754ab0649.exe 99 PID 3464 wrote to memory of 2244 3464 6d9b118979f1159246f3d37754ab0649.exe 99 PID 3464 wrote to memory of 2244 3464 6d9b118979f1159246f3d37754ab0649.exe 99 PID 3464 wrote to memory of 2244 3464 6d9b118979f1159246f3d37754ab0649.exe 99 PID 3464 wrote to memory of 2244 3464 6d9b118979f1159246f3d37754ab0649.exe 99 PID 3464 wrote to memory of 2244 3464 6d9b118979f1159246f3d37754ab0649.exe 99 PID 3464 wrote to memory of 2244 3464 6d9b118979f1159246f3d37754ab0649.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d9b118979f1159246f3d37754ab0649.exe"C:\Users\Admin\AppData\Local\Temp\6d9b118979f1159246f3d37754ab0649.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RNveAQv" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC30.tmp"2⤵
- Creates scheduled task(s)
PID:2376
-
-
C:\Users\Admin\AppData\Local\Temp\6d9b118979f1159246f3d37754ab0649.exe"C:\Users\Admin\AppData\Local\Temp\6d9b118979f1159246f3d37754ab0649.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2244
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6d9b118979f1159246f3d37754ab0649.exe.log
Filesize1KB
MD517573558c4e714f606f997e5157afaac
SHA113e16e9415ceef429aaf124139671ebeca09ed23
SHA256c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553
SHA512f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc
-
Filesize
1KB
MD5643030caa32ee9b557b8c556bd8572b9
SHA1185b8f8d55151681ac3f7ceda7e2ec7f2fda9e01
SHA2562d8a362f55054650b80810cfeba688e377d60a24c5e2417fd591f7bfb73acebf
SHA5128f436213fa2c46b0f84b03d117a323a3f12312d5749c70dff8531a76b907eb35425973d3ae5b8616f9ce98e5aa74fbda438202edbd4ea70f1ce92dbef0dccf6d