Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12/03/2024, 01:42
Static task
static1
Behavioral task
behavioral1
Sample
297942cdaf9c3efc3968bab08b2a69ea.exe
Resource
win7-20240221-en
General
-
Target
297942cdaf9c3efc3968bab08b2a69ea.exe
-
Size
24.2MB
-
MD5
297942cdaf9c3efc3968bab08b2a69ea
-
SHA1
ed32102f28e40674f308a74c9f00eb0908ab797a
-
SHA256
09b1cb8d457625091e02d13c9f6323309a5652ed4e8b33eaf9c994ca9c849805
-
SHA512
55e09b0d0da590cfd529ca0e6b1d084653cb5e96df8cf94ecd1d721f02d208b02391b89ad65b25c727218623627eaedead2df2611ff42a397b865b22fb57f53d
-
SSDEEP
786432:cs+YdwaieOlOcPy3zGxzdXDkX5/ghmmdP/2aZFOnQh5Ts:cs5d/itGjGxx2/gcmYagQh5o
Malware Config
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x0005000000019333-37.dat family_asyncrat -
Executes dropped EXE 1 IoCs
pid Process 2712 autorun.exe -
Loads dropped DLL 2 IoCs
pid Process 1740 297942cdaf9c3efc3968bab08b2a69ea.exe 2712 autorun.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2712 autorun.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1740 297942cdaf9c3efc3968bab08b2a69ea.exe 1740 297942cdaf9c3efc3968bab08b2a69ea.exe 2712 autorun.exe 2712 autorun.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1740 wrote to memory of 2712 1740 297942cdaf9c3efc3968bab08b2a69ea.exe 28 PID 1740 wrote to memory of 2712 1740 297942cdaf9c3efc3968bab08b2a69ea.exe 28 PID 1740 wrote to memory of 2712 1740 297942cdaf9c3efc3968bab08b2a69ea.exe 28 PID 1740 wrote to memory of 2712 1740 297942cdaf9c3efc3968bab08b2a69ea.exe 28 PID 1740 wrote to memory of 2712 1740 297942cdaf9c3efc3968bab08b2a69ea.exe 28 PID 1740 wrote to memory of 2712 1740 297942cdaf9c3efc3968bab08b2a69ea.exe 28 PID 1740 wrote to memory of 2712 1740 297942cdaf9c3efc3968bab08b2a69ea.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\297942cdaf9c3efc3968bab08b2a69ea.exe"C:\Users\Admin\AppData\Local\Temp\297942cdaf9c3efc3968bab08b2a69ea.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe"C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe" "SFXSOURCE:C:\Users\Admin\AppData\Local\Temp\297942cdaf9c3efc3968bab08b2a69ea.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2712
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5ed10b465f6aa073919eca99074901ca9
SHA12ec3050dbf675b744d4775d84d8faed91a791236
SHA25696b0dac105840fe31e8652a9b5acf4161e81938192ba825c9878a2bccd61ed1b
SHA5128c69a2a9ee3cc7f6affbeb87c6252fd10fe5576c863fe615cbd105d2ee3d505692a45f02a2d98cfd0392e0fb9fe3bb42dfb2b5a571bb0d4e25a16eccbe43ddb3
-
Filesize
11KB
MD55d2a07317aa10727b8cadf5a04e5ef9e
SHA118665d2e0adad26b7e186a34b5ab1390b0864cd0
SHA256ad93742965a9e55ccfb0c77f8dca08e9b3ce3fc9a11e71d8c78793bf70f7cec8
SHA512bf363a7e2bcd8e2a4d266cdb6e637c47da6da4a245d328572cc2da66fce3a77d601f6473ccdb3ed4a91f8f455ec25c2cfaaae274b2d2a0013ab943c4e927813a
-
Filesize
10KB
MD5bb22e9223820ce8afe05ac0ae8dcd938
SHA118f534564a3780079ba56430d399c85988fd83d0
SHA2566724c4e1d8436a220ceca390ff9823006f085482f0bb32ac5c3cf357d1d1dd40
SHA5128d6c4b075d5e80b67cb558cc87825a261122dbeb12e435d28f6c1c414d9640fe1be3d9188aeb4fa5d3a6c802df8f21299f7e4286a1e80bb4fac3bc58a4851899
-
Filesize
2.3MB
MD5ae19c3ed9388a7e9eafdbcc56c737866
SHA11e321c053462406106f8876572f999fe7138ddd6
SHA25600f4db0afe68619ec8d1a8b7755066104242c2943c946d4ef047ae15239fc15c
SHA512ed858bc047275419f5361809fa251968b21f3126b056476c34e70aab709ddeb359c9f69227e635c18af0bba1848c0069c34c9cd7d89da595c09ca129197f0e12
-
Filesize
130KB
MD5d49c5811f549dc2221c63fca40b8792b
SHA1c7ae5dcfe9502018db1f82822a62dc42569cc1e1
SHA2565fa6beb291c3de1089af04d5ddd0c6067b3e84edfa32e76dc1bc6b3a0f5b9272
SHA51298a781be0b963b2e5bc67c8ae44d0ce775d2973ce347f9bb24be0f1c25be62f615789b08e2157f9ff4bcf729553a63c9db0c98f27c1626a965129aa6321da700
-
Filesize
295KB
MD5e544015298dada6854449107659f3205
SHA12edcc27354c69d90ad5c9e474a36fb14907523b6
SHA2562261a538c76de796fbb3bf781bcbb283af056c12e3fd20d1007dac3bed1909bc
SHA512d083debd9dcbac4c6289f88a7ea24b7f81c33694168e1f03219bf599806514159ba485881699ac3dde3fbd15b65a158c9a09dbdcd09ec62b04c72708553d0449
-
Filesize
8KB
MD570603e1a1959caa82a5aa8c54b9fd49f
SHA10d2b6ee969335b95dc6d27fb1da755c68a66f4c6
SHA256f667296a5b8ebd562b9d13e8a13c4c72db5a09912866549e5ca420569ec98b48
SHA5127c749ab66f26e5e1aabee0189ae72ecb84c5f4aefc9290b30598e896a7ed085021711f0ef280d30447d673b72fb19abf6d54c636950b0d6d3564bce9e031a6e9
-
Filesize
161KB
MD58d7cb260a1706efa29b344b8c39e465e
SHA19d00edcf9810712606a76c231fa475c16cfe6998
SHA256369f05eaf2d0d9364da92a2947d640b061c7227e2fa824967ce202e12465ca35
SHA512b9f5422e8cfc02ae099c727e6bd032e7b5ac61458e40f2c44c07e7768d098c1dbdcc2bde182260794f2699d5a510de657bceb3b6499d14dc169ff5487e2a17d5
-
Filesize
291KB
MD55084da76102394b91cd562433f11d057
SHA1c5811154e57b7c5d800904301cb6273ee685e27a
SHA256a8dea7360924edb97a4f5eb5cc22bf76712b8c3b553a9214c24253d0a4ee5c08
SHA51250ecf9446ec89089f305464afd8fc144eff52288397a98b33249ed5abadcb0bfa43b9c57052a9964405daae19df4843040a64b0a13d5834e0947d2f5c664a034
-
Filesize
58KB
MD53c3943cc084ffabf6871d23151fde41b
SHA10703655865f836b519ae69471fb512414a792f43
SHA256b7d6d853006c41c2b5b2ad9144ff7e85a682b664a4251472522d799aa8137289
SHA512c29c8527b530dca5b03e74d1bcd64288e125b33d2df172a4dd76d867e6e7aaab0cf27c2100e5bbaf36896efe08a985e1611b6c8e74db8bb2c6ad18537d8e7aaf
-
Filesize
4KB
MD57c003e672901b1ea6893338a2a16f7f0
SHA17f98e8c36c0dc8e4bc9d4ff66e3ac3c88bdf25db
SHA2561f4da305805a9c6566b5ccead5a1f07b7acb0f04e0bd81def9babfc518c8e236
SHA51294df266b72f5651c6a3a025eae6965df92e52cd85ee52e543bd126ccbaebfc025c608dc589dae34c7d5a52d450beb7f92206f2e1d2e32088fbdf4690dd4fb3c7
-
Filesize
175KB
MD5f5c245a9c610699ab06a840fc28c7c79
SHA1de6d6e497710438522170c143cbad6b8f85af54f
SHA256d6875eace16cff4c276d23bc93e05c616db4d8851ccf3a407aae584b513db489
SHA5125fada846b5258b8545b17a69cfb7184e363062f912113aab0affd30e2b06045789f9e3509292807298da1a6facfa9b824d1125df0fd41bb4190e9139f28f91fc
-
Filesize
324KB
MD5a50edc0f5bf8d2034278940201ab2e06
SHA1258e58a92b8ba81922e2cf1acb085d6411a5baf8
SHA256bf35303f2ff0ee6161c24ec2bccf595d465bb51510d2a2b14622c9a87a9bd8c4
SHA5129812bb1d473c094767bc1347b40c162f847c64e69fda6502d573c45567425989ff3f34e50b4c009626efdc7a43e6f284ede3282bdcfce8a2a70699b09fb9209e
-
Filesize
326KB
MD505ceb6d2e88a896d6ada0ab3f0dc40aa
SHA12b62cc437f5b3268acb3f569b43fd6c0a08e4e47
SHA256b574d89422afcaae5446d8fd88d3b7cb48d608cf5411db761916b35c9999b41a
SHA512fd9a03167c70ddd156d6942e503f7d9528e4748e9613cfba69181eb8b50fcaea9f6d3b9e1398da21d4e4c8bf47c99fe2becc88b98107a4fdcb80697510c1860f