Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/04/2024, 12:02
Static task
static1
Behavioral task
behavioral1
Sample
go.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
go.exe
Resource
win10v2004-20240226-en
General
-
Target
go.exe
-
Size
510KB
-
MD5
7f264ba8e4c519ce90c6e3b430945476
-
SHA1
4e18269b4c70931dcad3f7ca58e4f5db00411549
-
SHA256
5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f
-
SHA512
3959fa9aad11f6718caa9404cf51cd53809d165436790109dbcf15b04ccd60335dbc824ce5e1ec0fd762c4ac69c6fb3518bc13c8a953c08cce4b7c0cb41b2cc6
-
SSDEEP
6144:rKeacbD2RU5+csDgVortcBiWg3cPXblkqDHd16Z6Zm5rULuW1+inHsvzUHFYWg5l:r3y1/D+McxaZvkL1pHyzWPp4xje9
Malware Config
Extracted
asyncrat
| Edit 3LOSH RAT
Exodus_Market
leetboy.dynuddns.net:1339
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
svchos.exe
-
install_folder
%AppData%
Extracted
asyncrat
5.0.5
WDKILLER
blue.o7lab.me:4449
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x000d0000000122d5-8.dat family_asyncrat -
Executes dropped EXE 3 IoCs
pid Process 2864 pop3.exe 2492 start.exe 2808 svchos.exe -
Loads dropped DLL 8 IoCs
pid Process 1924 go.exe 1924 go.exe 2776 WerFault.exe 2776 WerFault.exe 2776 WerFault.exe 2776 WerFault.exe 2776 WerFault.exe 2836 cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2864 set thread context of 2640 2864 pop3.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2364 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1872 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2492 start.exe 2492 start.exe 2492 start.exe 2808 svchos.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2640 regsvcs.exe Token: SeDebugPrivilege 2492 start.exe Token: SeDebugPrivilege 2808 svchos.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2808 svchos.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 1924 wrote to memory of 2864 1924 go.exe 28 PID 1924 wrote to memory of 2864 1924 go.exe 28 PID 1924 wrote to memory of 2864 1924 go.exe 28 PID 1924 wrote to memory of 2864 1924 go.exe 28 PID 1924 wrote to memory of 2492 1924 go.exe 29 PID 1924 wrote to memory of 2492 1924 go.exe 29 PID 1924 wrote to memory of 2492 1924 go.exe 29 PID 1924 wrote to memory of 2492 1924 go.exe 29 PID 2864 wrote to memory of 2640 2864 pop3.exe 30 PID 2864 wrote to memory of 2640 2864 pop3.exe 30 PID 2864 wrote to memory of 2640 2864 pop3.exe 30 PID 2864 wrote to memory of 2640 2864 pop3.exe 30 PID 2864 wrote to memory of 2640 2864 pop3.exe 30 PID 2864 wrote to memory of 2640 2864 pop3.exe 30 PID 2864 wrote to memory of 2640 2864 pop3.exe 30 PID 2864 wrote to memory of 2640 2864 pop3.exe 30 PID 2864 wrote to memory of 2640 2864 pop3.exe 30 PID 2864 wrote to memory of 2640 2864 pop3.exe 30 PID 2864 wrote to memory of 2640 2864 pop3.exe 30 PID 2864 wrote to memory of 2640 2864 pop3.exe 30 PID 2864 wrote to memory of 2776 2864 pop3.exe 31 PID 2864 wrote to memory of 2776 2864 pop3.exe 31 PID 2864 wrote to memory of 2776 2864 pop3.exe 31 PID 2492 wrote to memory of 2400 2492 start.exe 32 PID 2492 wrote to memory of 2400 2492 start.exe 32 PID 2492 wrote to memory of 2400 2492 start.exe 32 PID 2492 wrote to memory of 2400 2492 start.exe 32 PID 2492 wrote to memory of 2836 2492 start.exe 34 PID 2492 wrote to memory of 2836 2492 start.exe 34 PID 2492 wrote to memory of 2836 2492 start.exe 34 PID 2492 wrote to memory of 2836 2492 start.exe 34 PID 2400 wrote to memory of 2364 2400 cmd.exe 36 PID 2400 wrote to memory of 2364 2400 cmd.exe 36 PID 2400 wrote to memory of 2364 2400 cmd.exe 36 PID 2400 wrote to memory of 2364 2400 cmd.exe 36 PID 2836 wrote to memory of 1872 2836 cmd.exe 37 PID 2836 wrote to memory of 1872 2836 cmd.exe 37 PID 2836 wrote to memory of 1872 2836 cmd.exe 37 PID 2836 wrote to memory of 1872 2836 cmd.exe 37 PID 2836 wrote to memory of 2808 2836 cmd.exe 38 PID 2836 wrote to memory of 2808 2836 cmd.exe 38 PID 2836 wrote to memory of 2808 2836 cmd.exe 38 PID 2836 wrote to memory of 2808 2836 cmd.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\go.exe"C:\Users\Admin\AppData\Local\Temp\go.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Users\Admin\AppData\Local\Temp\pop3.exe"C:\Users\Admin\AppData\Local\Temp\pop3.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2864 -s 7203⤵
- Loads dropped DLL
PID:2776
-
-
-
C:\Users\Admin\AppData\Local\Temp\start.exe"C:\Users\Admin\AppData\Local\Temp\start.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\Admin\AppData\Roaming\svchos.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\Admin\AppData\Roaming\svchos.exe"'4⤵
- Creates scheduled task(s)
PID:2364
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp6401.tmp.bat""3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:1872
-
-
C:\Users\Admin\AppData\Roaming\svchos.exe"C:\Users\Admin\AppData\Roaming\svchos.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2808
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
150B
MD5c3ecc0ada93692cb3613e91f0d74e0eb
SHA1935b915704a5a63dd87dc32e2aac5f1cd5852115
SHA25649dec77638e606b9f46247652aa6607531abed6666bf561e97ae8f28cf0fa35c
SHA51290ca70cb5d692dc3124764d64d137e36495d91872bd9953d1c8b09c090d4ab24d1fd44557b444724c09c19e9cf25816e7dd26d70467fcb9813de5af89a7d1d0f
-
Filesize
442KB
MD58cd2675e19a8b1dccf0dbf082f42ab33
SHA13b6a8a51f53d8ec6e773f2a28f80fb003311597b
SHA256392ca70b63b6db8e0dc3aab0b6506169d5d9d2cad36598d037794be5a82bec09
SHA512b4260fe93196d71f38ab386a17db0ac91a1116ef155771f789579d3150b4c74abb23f289bc042ced1fe7b905f1f1645435837223b3ca331d1e1d55c7eb4a5711
-
Filesize
63KB
MD5c1ade258f05c512e98ebc4d9d1165f8a
SHA1acf20f6a7dc7841ae06f801b887289fdc99e0488
SHA256447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759
SHA5125b652e0ef6293d7baeb7e9d8b79322ec65e98d748e1df492099fa6692d0bbc78f032df68e7028a28af06b5c27394456159351a6469fdaf777e6eb98609331076