Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
22/01/2024, 06:23
Static task
static1
Behavioral task
behavioral1
Sample
6ef384d982b8fe6de471207bf7efa7d1.exe
Resource
win7-20231215-en
General
-
Target
6ef384d982b8fe6de471207bf7efa7d1.exe
-
Size
1000KB
-
MD5
6ef384d982b8fe6de471207bf7efa7d1
-
SHA1
1fa26e5484ed366d7749696d686aaf2136696197
-
SHA256
04146a5e5ccf0038e5b3a8c3bf3880493f19d99c03400af0f7ecacb0d9ef1ac0
-
SHA512
8b0c5d55b524512f08a2d11177a18d6e2ea27ac748fddc21d42263c249996bf677d6ec7c82cf5b3e643f80be84a0f15a92286e53b5b4a07fdb8130b7c145da09
-
SSDEEP
24576:6o2A4d1/VD4y4ZcN9qUxtJU2PfjCQUWM/NJKaoo:9by/VD34M91xE2upLJKlo
Malware Config
Extracted
asyncrat
0.5.7B
Default
127.0.0.1:2245
127.0.0.1:2256
fresh01.ddns.net:2245
fresh01.ddns.net:2256
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/2876-17-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation 6ef384d982b8fe6de471207bf7efa7d1.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3936 set thread context of 2876 3936 6ef384d982b8fe6de471207bf7efa7d1.exe 99 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2804 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3936 6ef384d982b8fe6de471207bf7efa7d1.exe 3936 6ef384d982b8fe6de471207bf7efa7d1.exe 3936 6ef384d982b8fe6de471207bf7efa7d1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3936 6ef384d982b8fe6de471207bf7efa7d1.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3936 wrote to memory of 2804 3936 6ef384d982b8fe6de471207bf7efa7d1.exe 96 PID 3936 wrote to memory of 2804 3936 6ef384d982b8fe6de471207bf7efa7d1.exe 96 PID 3936 wrote to memory of 2804 3936 6ef384d982b8fe6de471207bf7efa7d1.exe 96 PID 3936 wrote to memory of 4596 3936 6ef384d982b8fe6de471207bf7efa7d1.exe 98 PID 3936 wrote to memory of 4596 3936 6ef384d982b8fe6de471207bf7efa7d1.exe 98 PID 3936 wrote to memory of 4596 3936 6ef384d982b8fe6de471207bf7efa7d1.exe 98 PID 3936 wrote to memory of 2876 3936 6ef384d982b8fe6de471207bf7efa7d1.exe 99 PID 3936 wrote to memory of 2876 3936 6ef384d982b8fe6de471207bf7efa7d1.exe 99 PID 3936 wrote to memory of 2876 3936 6ef384d982b8fe6de471207bf7efa7d1.exe 99 PID 3936 wrote to memory of 2876 3936 6ef384d982b8fe6de471207bf7efa7d1.exe 99 PID 3936 wrote to memory of 2876 3936 6ef384d982b8fe6de471207bf7efa7d1.exe 99 PID 3936 wrote to memory of 2876 3936 6ef384d982b8fe6de471207bf7efa7d1.exe 99 PID 3936 wrote to memory of 2876 3936 6ef384d982b8fe6de471207bf7efa7d1.exe 99 PID 3936 wrote to memory of 2876 3936 6ef384d982b8fe6de471207bf7efa7d1.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ef384d982b8fe6de471207bf7efa7d1.exe"C:\Users\Admin\AppData\Local\Temp\6ef384d982b8fe6de471207bf7efa7d1.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mdHFZnJnjYruf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF81B.tmp"2⤵
- Creates scheduled task(s)
PID:2804
-
-
C:\Users\Admin\AppData\Local\Temp\6ef384d982b8fe6de471207bf7efa7d1.exe"C:\Users\Admin\AppData\Local\Temp\6ef384d982b8fe6de471207bf7efa7d1.exe"2⤵PID:4596
-
-
C:\Users\Admin\AppData\Local\Temp\6ef384d982b8fe6de471207bf7efa7d1.exe"C:\Users\Admin\AppData\Local\Temp\6ef384d982b8fe6de471207bf7efa7d1.exe"2⤵PID:2876
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD521a8fcc17a2343715c1751a8f15c8ed2
SHA1f2425e1301b213da7747dd76989087249396fa79
SHA25610e5c505295fb9f4d1a041fecfe233bee3b6755dfadd3fe5acd3d887ce2c811d
SHA5127be8d7e7f369eb93e2cfd6997f6bd6850e4c00b83705bdc0a21d313d74f352c5c67303a180f691c0a28f2b3a700921fde58487ea2aa5fe635f1dcc89b1ea6b9b