Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
25/03/2024, 17:45
Static task
static1
Behavioral task
behavioral1
Sample
de96f95692e27176b74125a40300ba08.exe
Resource
win7-20240215-en
General
-
Target
de96f95692e27176b74125a40300ba08.exe
-
Size
1.9MB
-
MD5
de96f95692e27176b74125a40300ba08
-
SHA1
472c7dfb79b00e95b68b3ba23c7fb5c14c740053
-
SHA256
172705adb5ebbb023174bafa12a8c572604258aaf4a3959ec6759c7e3333b7ec
-
SHA512
9062560007de212f285c1fee05df3b6cd021fcc4367d29b1baf9b0a1158aca484601a57b84e7c4b9c0937336f7a3e6e69fd990f516abd288666edf6aca16e1cc
-
SSDEEP
24576:sYYiCmMxAtOsBgo0q4wMcCcsp/iKgM4MRM/mXVK67k3GCo27nsISxZvBn2spMBuu:sVWsoHMcCbppx44lK13NAI6736F6Z
Malware Config
Extracted
asyncrat
0.5.7B
Default
podzeye.duckdns.org:4422
podzeye.duckdns.org:4442
podzeye.duckdns.org:4433
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
resource yara_rule behavioral1/memory/2892-3-0x00000000004D0000-0x00000000004E2000-memory.dmp CustAttr -
Executes dropped EXE 2 IoCs
pid Process 2704 System.exe 2332 System.exe -
Loads dropped DLL 2 IoCs
pid Process 1892 de96f95692e27176b74125a40300ba08.exe 2704 System.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2892 set thread context of 1892 2892 de96f95692e27176b74125a40300ba08.exe 33 PID 2704 set thread context of 2332 2704 System.exe 37 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2012 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2892 de96f95692e27176b74125a40300ba08.exe 2892 de96f95692e27176b74125a40300ba08.exe 2892 de96f95692e27176b74125a40300ba08.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2892 de96f95692e27176b74125a40300ba08.exe Token: SeDebugPrivilege 2332 System.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1892 de96f95692e27176b74125a40300ba08.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 2892 wrote to memory of 2924 2892 de96f95692e27176b74125a40300ba08.exe 30 PID 2892 wrote to memory of 2924 2892 de96f95692e27176b74125a40300ba08.exe 30 PID 2892 wrote to memory of 2924 2892 de96f95692e27176b74125a40300ba08.exe 30 PID 2892 wrote to memory of 2924 2892 de96f95692e27176b74125a40300ba08.exe 30 PID 2892 wrote to memory of 2884 2892 de96f95692e27176b74125a40300ba08.exe 31 PID 2892 wrote to memory of 2884 2892 de96f95692e27176b74125a40300ba08.exe 31 PID 2892 wrote to memory of 2884 2892 de96f95692e27176b74125a40300ba08.exe 31 PID 2892 wrote to memory of 2884 2892 de96f95692e27176b74125a40300ba08.exe 31 PID 2892 wrote to memory of 2680 2892 de96f95692e27176b74125a40300ba08.exe 32 PID 2892 wrote to memory of 2680 2892 de96f95692e27176b74125a40300ba08.exe 32 PID 2892 wrote to memory of 2680 2892 de96f95692e27176b74125a40300ba08.exe 32 PID 2892 wrote to memory of 2680 2892 de96f95692e27176b74125a40300ba08.exe 32 PID 2892 wrote to memory of 1892 2892 de96f95692e27176b74125a40300ba08.exe 33 PID 2892 wrote to memory of 1892 2892 de96f95692e27176b74125a40300ba08.exe 33 PID 2892 wrote to memory of 1892 2892 de96f95692e27176b74125a40300ba08.exe 33 PID 2892 wrote to memory of 1892 2892 de96f95692e27176b74125a40300ba08.exe 33 PID 2892 wrote to memory of 1892 2892 de96f95692e27176b74125a40300ba08.exe 33 PID 2892 wrote to memory of 1892 2892 de96f95692e27176b74125a40300ba08.exe 33 PID 2892 wrote to memory of 1892 2892 de96f95692e27176b74125a40300ba08.exe 33 PID 2892 wrote to memory of 1892 2892 de96f95692e27176b74125a40300ba08.exe 33 PID 1892 wrote to memory of 2704 1892 de96f95692e27176b74125a40300ba08.exe 34 PID 1892 wrote to memory of 2704 1892 de96f95692e27176b74125a40300ba08.exe 34 PID 1892 wrote to memory of 2704 1892 de96f95692e27176b74125a40300ba08.exe 34 PID 1892 wrote to memory of 2704 1892 de96f95692e27176b74125a40300ba08.exe 34 PID 2704 wrote to memory of 2012 2704 System.exe 35 PID 2704 wrote to memory of 2012 2704 System.exe 35 PID 2704 wrote to memory of 2012 2704 System.exe 35 PID 2704 wrote to memory of 2012 2704 System.exe 35 PID 2704 wrote to memory of 2332 2704 System.exe 37 PID 2704 wrote to memory of 2332 2704 System.exe 37 PID 2704 wrote to memory of 2332 2704 System.exe 37 PID 2704 wrote to memory of 2332 2704 System.exe 37 PID 2704 wrote to memory of 2332 2704 System.exe 37 PID 2704 wrote to memory of 2332 2704 System.exe 37 PID 2704 wrote to memory of 2332 2704 System.exe 37 PID 2704 wrote to memory of 2332 2704 System.exe 37 PID 2704 wrote to memory of 2332 2704 System.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\de96f95692e27176b74125a40300ba08.exe"C:\Users\Admin\AppData\Local\Temp\de96f95692e27176b74125a40300ba08.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\de96f95692e27176b74125a40300ba08.exe"C:\Users\Admin\AppData\Local\Temp\de96f95692e27176b74125a40300ba08.exe"2⤵PID:2924
-
-
C:\Users\Admin\AppData\Local\Temp\de96f95692e27176b74125a40300ba08.exe"C:\Users\Admin\AppData\Local\Temp\de96f95692e27176b74125a40300ba08.exe"2⤵PID:2884
-
-
C:\Users\Admin\AppData\Local\Temp\de96f95692e27176b74125a40300ba08.exe"C:\Users\Admin\AppData\Local\Temp\de96f95692e27176b74125a40300ba08.exe"2⤵PID:2680
-
-
C:\Users\Admin\AppData\Local\Temp\de96f95692e27176b74125a40300ba08.exe"C:\Users\Admin\AppData\Local\Temp\de96f95692e27176b74125a40300ba08.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Users\Admin\AppData\Local\Temp\System.exe"C:\Users\Admin\AppData\Local\Temp\System.exe" 03⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ToahHiZtj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCDE9.tmp"4⤵
- Creates scheduled task(s)
PID:2012
-
-
C:\Users\Admin\AppData\Local\Temp\System.exe"C:\Users\Admin\AppData\Local\Temp\System.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD509f2ca26e4079b4a75446853bac5c811
SHA13e34739d41c7308dd68408f98b26f4178551fb56
SHA25646d2ec0406b36f4a0ae712c9be9abfce8e880966035c52157beb218d9d93dd4a
SHA5120b71a5127c46cb81131a43583f1cdc1823a9c4a38c1a3a0615bbb0e630803cac8e9fabd4686b9e1cf4dd23797eaed2d73b96573d25beeeb452cf3b234e91dab4
-
Filesize
1.1MB
MD56de6f3b1c646ed699f7e31c0631d0032
SHA1e658e0ddf1d4d5cfbf3a73635ac96682bcfac6cb
SHA256eb054bd6d1a8270815b7aba891b45fad52593e1eb99dfb5052dadb61587e9c45
SHA51221eaa83a95ed1a4902ad06fe450a2fc745c5ebcb7816a9dd4690112910c83130b54a3632aa88ac498055ea33275e3df7373658053c0fbf5290ea3493273c566d