Analysis
-
max time kernel
149s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22/01/2024, 06:23
Static task
static1
Behavioral task
behavioral1
Sample
6ef384d982b8fe6de471207bf7efa7d1.exe
Resource
win7-20231215-en
General
-
Target
6ef384d982b8fe6de471207bf7efa7d1.exe
-
Size
1000KB
-
MD5
6ef384d982b8fe6de471207bf7efa7d1
-
SHA1
1fa26e5484ed366d7749696d686aaf2136696197
-
SHA256
04146a5e5ccf0038e5b3a8c3bf3880493f19d99c03400af0f7ecacb0d9ef1ac0
-
SHA512
8b0c5d55b524512f08a2d11177a18d6e2ea27ac748fddc21d42263c249996bf677d6ec7c82cf5b3e643f80be84a0f15a92286e53b5b4a07fdb8130b7c145da09
-
SSDEEP
24576:6o2A4d1/VD4y4ZcN9qUxtJU2PfjCQUWM/NJKaoo:9by/VD34M91xE2upLJKlo
Malware Config
Extracted
asyncrat
0.5.7B
Default
127.0.0.1:2245
127.0.0.1:2256
fresh01.ddns.net:2245
fresh01.ddns.net:2256
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 6 IoCs
resource yara_rule behavioral1/memory/2720-15-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/2720-16-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/2720-19-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/2720-21-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/2720-23-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/2720-26-0x0000000000F20000-0x0000000000F60000-memory.dmp asyncrat -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2148 set thread context of 2720 2148 6ef384d982b8fe6de471207bf7efa7d1.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1200 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2148 6ef384d982b8fe6de471207bf7efa7d1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2148 6ef384d982b8fe6de471207bf7efa7d1.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2148 wrote to memory of 1200 2148 6ef384d982b8fe6de471207bf7efa7d1.exe 28 PID 2148 wrote to memory of 1200 2148 6ef384d982b8fe6de471207bf7efa7d1.exe 28 PID 2148 wrote to memory of 1200 2148 6ef384d982b8fe6de471207bf7efa7d1.exe 28 PID 2148 wrote to memory of 1200 2148 6ef384d982b8fe6de471207bf7efa7d1.exe 28 PID 2148 wrote to memory of 2720 2148 6ef384d982b8fe6de471207bf7efa7d1.exe 30 PID 2148 wrote to memory of 2720 2148 6ef384d982b8fe6de471207bf7efa7d1.exe 30 PID 2148 wrote to memory of 2720 2148 6ef384d982b8fe6de471207bf7efa7d1.exe 30 PID 2148 wrote to memory of 2720 2148 6ef384d982b8fe6de471207bf7efa7d1.exe 30 PID 2148 wrote to memory of 2720 2148 6ef384d982b8fe6de471207bf7efa7d1.exe 30 PID 2148 wrote to memory of 2720 2148 6ef384d982b8fe6de471207bf7efa7d1.exe 30 PID 2148 wrote to memory of 2720 2148 6ef384d982b8fe6de471207bf7efa7d1.exe 30 PID 2148 wrote to memory of 2720 2148 6ef384d982b8fe6de471207bf7efa7d1.exe 30 PID 2148 wrote to memory of 2720 2148 6ef384d982b8fe6de471207bf7efa7d1.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ef384d982b8fe6de471207bf7efa7d1.exe"C:\Users\Admin\AppData\Local\Temp\6ef384d982b8fe6de471207bf7efa7d1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mdHFZnJnjYruf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD865.tmp"2⤵
- Creates scheduled task(s)
PID:1200
-
-
C:\Users\Admin\AppData\Local\Temp\6ef384d982b8fe6de471207bf7efa7d1.exe"C:\Users\Admin\AppData\Local\Temp\6ef384d982b8fe6de471207bf7efa7d1.exe"2⤵PID:2720
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c0e5eafab7b195b485417afb0843b63d
SHA140326bc23456620beaa66461c0d679aca2bb10cf
SHA256919f4d1d8bc245ef94df7a155e9c14a8c6548f33d95f4ede329b0620d797a018
SHA512540868323c8f102f48169082fdb2a81ff3acab6786d51a8734c8766da5e7593938c84e92c6a983d9b163c3679a511c317aa1508e4ff04f820db9af3db8cc7370