Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25/01/2024, 05:50
Static task
static1
Behavioral task
behavioral1
Sample
73e51598d70df9f164408abaaf346211.exe
Resource
win7-20231129-en
General
-
Target
73e51598d70df9f164408abaaf346211.exe
-
Size
291KB
-
MD5
73e51598d70df9f164408abaaf346211
-
SHA1
31998d8ae54173f71c132120cf62fbda266a33fc
-
SHA256
238230eb6322dfb786b5e3054b44d1e0322aadfc44232111ec3db71e20503ee8
-
SHA512
4ef11892e99551ef08d596947edd3a4c6c936a22edbb9c25f9e59279b7bf8ea4cf5c4e51a0e98b7c2753a1180f762138290f77239e353bf57959e6cd074132e5
-
SSDEEP
3072:aFPdic8sB/RkDWMGdtFkZKm320SEuBJVJlACYpMHAsjyRhuKp4NS/wNBf+Dh8HiZ:QlxsmiKpBzJiPpMHAsehcNmm+DS4h
Malware Config
Extracted
asyncrat
0.5.6D
Default
79.134.225.44:7450
zesdluuiwc
-
delay
5
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 6 IoCs
resource yara_rule behavioral1/memory/2296-15-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/2296-17-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/2296-21-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/2296-23-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/2296-25-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/2296-30-0x0000000004380000-0x00000000043C0000-memory.dmp asyncrat -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 880 set thread context of 2296 880 73e51598d70df9f164408abaaf346211.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2720 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 880 73e51598d70df9f164408abaaf346211.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 880 73e51598d70df9f164408abaaf346211.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 880 wrote to memory of 2720 880 73e51598d70df9f164408abaaf346211.exe 28 PID 880 wrote to memory of 2720 880 73e51598d70df9f164408abaaf346211.exe 28 PID 880 wrote to memory of 2720 880 73e51598d70df9f164408abaaf346211.exe 28 PID 880 wrote to memory of 2720 880 73e51598d70df9f164408abaaf346211.exe 28 PID 880 wrote to memory of 2296 880 73e51598d70df9f164408abaaf346211.exe 30 PID 880 wrote to memory of 2296 880 73e51598d70df9f164408abaaf346211.exe 30 PID 880 wrote to memory of 2296 880 73e51598d70df9f164408abaaf346211.exe 30 PID 880 wrote to memory of 2296 880 73e51598d70df9f164408abaaf346211.exe 30 PID 880 wrote to memory of 2296 880 73e51598d70df9f164408abaaf346211.exe 30 PID 880 wrote to memory of 2296 880 73e51598d70df9f164408abaaf346211.exe 30 PID 880 wrote to memory of 2296 880 73e51598d70df9f164408abaaf346211.exe 30 PID 880 wrote to memory of 2296 880 73e51598d70df9f164408abaaf346211.exe 30 PID 880 wrote to memory of 2296 880 73e51598d70df9f164408abaaf346211.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe"C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EzliZea" /XML "C:\Users\Admin\AppData\Local\Temp\tmp91F3.tmp"2⤵
- Creates scheduled task(s)
PID:2720
-
-
C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe"{path}"2⤵PID:2296
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56b3207f25e436323c3d8fa06d175db09
SHA14e8ef9f9a8895537beae550cecfe652741c4abc4
SHA2565ee6625f49079593002280669f88b7cca75f8232a6c82d4b69ba73e41af572a5
SHA512933391cc9c28af19ebe7f7c4acf5b75c2a5b160ad035d94305828d6257b5aced05ea43691588b55bbd3bf157d1b134acf817d328c7de83edc754d1fe60266bce