Analysis
-
max time kernel
141s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12/03/2024, 01:42
Static task
static1
Behavioral task
behavioral1
Sample
297942cdaf9c3efc3968bab08b2a69ea.exe
Resource
win7-20240221-en
General
-
Target
297942cdaf9c3efc3968bab08b2a69ea.exe
-
Size
24.2MB
-
MD5
297942cdaf9c3efc3968bab08b2a69ea
-
SHA1
ed32102f28e40674f308a74c9f00eb0908ab797a
-
SHA256
09b1cb8d457625091e02d13c9f6323309a5652ed4e8b33eaf9c994ca9c849805
-
SHA512
55e09b0d0da590cfd529ca0e6b1d084653cb5e96df8cf94ecd1d721f02d208b02391b89ad65b25c727218623627eaedead2df2611ff42a397b865b22fb57f53d
-
SSDEEP
786432:cs+YdwaieOlOcPy3zGxzdXDkX5/ghmmdP/2aZFOnQh5Ts:cs5d/itGjGxx2/gcmYagQh5o
Malware Config
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023206-36.dat family_asyncrat -
Executes dropped EXE 1 IoCs
pid Process 1436 autorun.exe -
Loads dropped DLL 1 IoCs
pid Process 1436 autorun.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1436 autorun.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 3208 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3208 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4276 297942cdaf9c3efc3968bab08b2a69ea.exe 4276 297942cdaf9c3efc3968bab08b2a69ea.exe 1436 autorun.exe 1436 autorun.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4276 wrote to memory of 1436 4276 297942cdaf9c3efc3968bab08b2a69ea.exe 91 PID 4276 wrote to memory of 1436 4276 297942cdaf9c3efc3968bab08b2a69ea.exe 91 PID 4276 wrote to memory of 1436 4276 297942cdaf9c3efc3968bab08b2a69ea.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\297942cdaf9c3efc3968bab08b2a69ea.exe"C:\Users\Admin\AppData\Local\Temp\297942cdaf9c3efc3968bab08b2a69ea.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe"C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe" "SFXSOURCE:C:\Users\Admin\AppData\Local\Temp\297942cdaf9c3efc3968bab08b2a69ea.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1436
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x538 0x5341⤵
- Suspicious use of AdjustPrivilegeToken
PID:3208
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5ed10b465f6aa073919eca99074901ca9
SHA12ec3050dbf675b744d4775d84d8faed91a791236
SHA25696b0dac105840fe31e8652a9b5acf4161e81938192ba825c9878a2bccd61ed1b
SHA5128c69a2a9ee3cc7f6affbeb87c6252fd10fe5576c863fe615cbd105d2ee3d505692a45f02a2d98cfd0392e0fb9fe3bb42dfb2b5a571bb0d4e25a16eccbe43ddb3
-
Filesize
11KB
MD55d2a07317aa10727b8cadf5a04e5ef9e
SHA118665d2e0adad26b7e186a34b5ab1390b0864cd0
SHA256ad93742965a9e55ccfb0c77f8dca08e9b3ce3fc9a11e71d8c78793bf70f7cec8
SHA512bf363a7e2bcd8e2a4d266cdb6e637c47da6da4a245d328572cc2da66fce3a77d601f6473ccdb3ed4a91f8f455ec25c2cfaaae274b2d2a0013ab943c4e927813a
-
Filesize
10KB
MD5bb22e9223820ce8afe05ac0ae8dcd938
SHA118f534564a3780079ba56430d399c85988fd83d0
SHA2566724c4e1d8436a220ceca390ff9823006f085482f0bb32ac5c3cf357d1d1dd40
SHA5128d6c4b075d5e80b67cb558cc87825a261122dbeb12e435d28f6c1c414d9640fe1be3d9188aeb4fa5d3a6c802df8f21299f7e4286a1e80bb4fac3bc58a4851899
-
Filesize
5.6MB
MD5fcd5d57a9cc86b0ee04b8f06fa60375c
SHA14354dc41a1b70b0e6d38db8d27ef49d17bcdd1ff
SHA256eadffcad2eb80be0f54c1b2e7b7031661a176a18bbd35c415ff6731f67d38a8e
SHA512acc0496bf3f445434c63232fe9c792372c2a1fa190f4defa3fd63151d5745f2e749366f8a57a5cbbaa9b4493b4eda1b1557904bcd9d9fc2cf6d956777ed39ac2
-
Filesize
130KB
MD5d49c5811f549dc2221c63fca40b8792b
SHA1c7ae5dcfe9502018db1f82822a62dc42569cc1e1
SHA2565fa6beb291c3de1089af04d5ddd0c6067b3e84edfa32e76dc1bc6b3a0f5b9272
SHA51298a781be0b963b2e5bc67c8ae44d0ce775d2973ce347f9bb24be0f1c25be62f615789b08e2157f9ff4bcf729553a63c9db0c98f27c1626a965129aa6321da700
-
Filesize
295KB
MD5e544015298dada6854449107659f3205
SHA12edcc27354c69d90ad5c9e474a36fb14907523b6
SHA2562261a538c76de796fbb3bf781bcbb283af056c12e3fd20d1007dac3bed1909bc
SHA512d083debd9dcbac4c6289f88a7ea24b7f81c33694168e1f03219bf599806514159ba485881699ac3dde3fbd15b65a158c9a09dbdcd09ec62b04c72708553d0449
-
Filesize
668KB
MD5d6f01bc8b4f1a6e8d1967017332c4b5a
SHA14b2b1fcafb7e2de35899825967eac7d9410261eb
SHA256ff51927c2c925ffada2cbaf0da2898368ebcd6d6798d46a91d5cad544130f6a5
SHA51263107812103edc6c580b76344fe0a6cce8321e77caf26218384ea9a7ff1b56f0f076600a602cc73f773051b199eaedc638b24dd3ef3088e7c70c78a78ebcc6b2
-
Filesize
2.9MB
MD5aaa7fa3e98c413f54646c8eef4f59a38
SHA109b77155cf858c9d5234a22fd36f769634a29e90
SHA256fd1a072d77ce73ddf5ad3cacf53d80e500dfdfd97ad6649cb2f9d9a8d67a7ce0
SHA5121ca640461ddba1eeb8a33fc9101cb2c0b06a8e7a9eb05c063c6d1872011f692189f7039644f59bc2be56e08f9836c359a3455d0024d661a959bdd81574c91fd8
-
Filesize
2.5MB
MD55506831a5fb820b09bb5ec571974183e
SHA12ba8ff3a4030e24cf11c10ba97daa356a2dd6720
SHA2569d41fc4e3537ebcf840e949a98241504969a6a85136c1e3e5130653801712fa5
SHA5121e52f21c346779075787961d6fe11af38c0a096d9fecc2cf5cf14cbf023aa4f73ba2276288a3b7f12582b573fa37d25d4e1913a821690d45817bacad0436fd4b
-
Filesize
4KB
MD57c003e672901b1ea6893338a2a16f7f0
SHA17f98e8c36c0dc8e4bc9d4ff66e3ac3c88bdf25db
SHA2561f4da305805a9c6566b5ccead5a1f07b7acb0f04e0bd81def9babfc518c8e236
SHA51294df266b72f5651c6a3a025eae6965df92e52cd85ee52e543bd126ccbaebfc025c608dc589dae34c7d5a52d450beb7f92206f2e1d2e32088fbdf4690dd4fb3c7
-
Filesize
326KB
MD505ceb6d2e88a896d6ada0ab3f0dc40aa
SHA12b62cc437f5b3268acb3f569b43fd6c0a08e4e47
SHA256b574d89422afcaae5446d8fd88d3b7cb48d608cf5411db761916b35c9999b41a
SHA512fd9a03167c70ddd156d6942e503f7d9528e4748e9613cfba69181eb8b50fcaea9f6d3b9e1398da21d4e4c8bf47c99fe2becc88b98107a4fdcb80697510c1860f