Malware Analysis Report

2024-08-06 17:50

Sample ID 240306-xmkccage8x
Target Infected.exe
SHA256 02f8a79e27433c2c109422a5d5e80be07d9708593a35da5dc27d515a59c41192
Tags
asyncrat test rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

02f8a79e27433c2c109422a5d5e80be07d9708593a35da5dc27d515a59c41192

Threat Level: Known bad

The file Infected.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat test rat

Async RAT payload

Asyncrat family

AsyncRat

Async RAT payload

Checks computer location settings

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-03-06 18:58

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-06 18:58

Reported

2024-03-06 19:00

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Infected.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\sigma.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 624 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe C:\Windows\System32\cmd.exe
PID 624 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe C:\Windows\System32\cmd.exe
PID 624 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe C:\Windows\system32\cmd.exe
PID 624 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe C:\Windows\system32\cmd.exe
PID 1532 wrote to memory of 1696 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1532 wrote to memory of 1696 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 400 wrote to memory of 3564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 400 wrote to memory of 3564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 400 wrote to memory of 1504 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\sigma.exe
PID 400 wrote to memory of 1504 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\sigma.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Infected.exe

"C:\Users\Admin\AppData\Local\Temp\Infected.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "sigma" /tr '"C:\Users\Admin\AppData\Roaming\sigma.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp13D1.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "sigma" /tr '"C:\Users\Admin\AppData\Roaming\sigma.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\sigma.exe

"C:\Users\Admin\AppData\Roaming\sigma.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 fl-survivor.gl.at.ply.gg udp
US 147.185.221.17:23531 fl-survivor.gl.at.ply.gg tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 17.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 147.185.221.17:23531 fl-survivor.gl.at.ply.gg tcp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

memory/624-0-0x0000000000150000-0x0000000000192000-memory.dmp

memory/624-1-0x00007FFBEE3A0000-0x00007FFBEEE61000-memory.dmp

memory/624-2-0x0000000002230000-0x0000000002240000-memory.dmp

memory/624-7-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp

memory/624-8-0x00007FFBEE3A0000-0x00007FFBEEE61000-memory.dmp

memory/624-9-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp13D1.tmp.bat

MD5 a9efa80a6bb7f1ee8a097aa751ec2a78
SHA1 4e89104a4113cc4501eee5e0ed882135712558aa
SHA256 37603237587f5a3451aeb6d90e539dcdbe15116b446682e33962818fdc022bd2
SHA512 f8e8da451fd7aaac55331456ce0ea092abc8048433d3d3012ab92070d512a7cffffc04f4a1481cafd677b69a72da2fd7ed0231a295e5089be333d1b5bd9f3b2a

C:\Users\Admin\AppData\Roaming\sigma.exe

MD5 c52328c4ee962ed40e486b8d7071d7c1
SHA1 8b639380fc31b4aadd2d84f1f73d9fbfd486c0e5
SHA256 02f8a79e27433c2c109422a5d5e80be07d9708593a35da5dc27d515a59c41192
SHA512 d77f8e0495cd03db3e1c24906b69e7850382480014071b69ed1f0f0494019b22c3376b49c7e19d0e5c8825f32d5cd7674e52ce8e7a4708878799937d23dafbf7

memory/1504-14-0x00007FFBED960000-0x00007FFBEE421000-memory.dmp

memory/1504-15-0x000000001BB10000-0x000000001BB20000-memory.dmp

memory/1504-16-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp

memory/1504-17-0x00007FFBED960000-0x00007FFBEE421000-memory.dmp

memory/1504-18-0x000000001BB10000-0x000000001BB20000-memory.dmp

memory/1504-19-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp