Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12/03/2024, 21:34
Static task
static1
Behavioral task
behavioral1
Sample
6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe
Resource
win10v2004-20240226-en
General
-
Target
6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe
-
Size
320KB
-
MD5
3f088e75c8dff450bb0eb1d9a8a1c68a
-
SHA1
779f0f742cd4e1e42f95c4c86e14c2bac5a88397
-
SHA256
6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e
-
SHA512
f858234e044960ff862e6c716c159f631384096618955b9c041a2c03c0b70732f00ea4baaf4d96c78045f37e32e389ec27f3c0cc16ee18be01b68935806336c7
-
SSDEEP
3072:wqQLW3NQGDxLKFvweJvCnKkopganrtvaTVieMhJ3Bj3untI1fE:lXa1vmopganrtvaTVieMT36L
Malware Config
Extracted
asyncrat
1.0.7
Dark-20250 - M
bg1.heztak.pro:2202
DcRatMutex_qwqdanchun
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Detects executables attemping to enumerate video devices using WMI 1 IoCs
resource yara_rule behavioral2/memory/4764-4-0x0000000000400000-0x0000000000412000-memory.dmp INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice -
Detects executables containing the string DcRatBy 1 IoCs
resource yara_rule behavioral2/memory/4764-4-0x0000000000400000-0x0000000000412000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DcRatBy -
Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. 1 IoCs
resource yara_rule behavioral2/memory/4764-4-0x0000000000400000-0x0000000000412000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Artifacts -
Detects executables packed with SmartAssembly 1 IoCs
resource yara_rule behavioral2/memory/2396-0-0x0000000000800000-0x000000000082A000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2396 set thread context of 4764 2396 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 89 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4744 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeManageVolumePrivilege 3632 svchost.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2396 wrote to memory of 4764 2396 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 89 PID 2396 wrote to memory of 4764 2396 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 89 PID 2396 wrote to memory of 4764 2396 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 89 PID 2396 wrote to memory of 4764 2396 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 89 PID 2396 wrote to memory of 4764 2396 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 89 PID 2396 wrote to memory of 4764 2396 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 89 PID 2396 wrote to memory of 4764 2396 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 89 PID 2396 wrote to memory of 4764 2396 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 89 PID 2396 wrote to memory of 4308 2396 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 90 PID 2396 wrote to memory of 4308 2396 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 90 PID 2396 wrote to memory of 4308 2396 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 90 PID 2396 wrote to memory of 3304 2396 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 91 PID 2396 wrote to memory of 3304 2396 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 91 PID 2396 wrote to memory of 3304 2396 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 91 PID 2396 wrote to memory of 2716 2396 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 92 PID 2396 wrote to memory of 2716 2396 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 92 PID 2396 wrote to memory of 2716 2396 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 92 PID 3304 wrote to memory of 4744 3304 cmd.exe 96 PID 3304 wrote to memory of 4744 3304 cmd.exe 96 PID 3304 wrote to memory of 4744 3304 cmd.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe"C:\Users\Admin\AppData\Local\Temp\6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:4764
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\AddDate"2⤵PID:4308
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AddDate\AddDate.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AddDate\AddDate.exe'" /f3⤵
- Creates scheduled task(s)
PID:4744
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe" "C:\Users\Admin\AppData\Roaming\AddDate\AddDate.exe"2⤵PID:2716
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:3532
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3632