Analysis
-
max time kernel
141s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/04/2024, 12:02
Static task
static1
Behavioral task
behavioral1
Sample
go.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
go.exe
Resource
win10v2004-20240226-en
General
-
Target
go.exe
-
Size
510KB
-
MD5
7f264ba8e4c519ce90c6e3b430945476
-
SHA1
4e18269b4c70931dcad3f7ca58e4f5db00411549
-
SHA256
5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f
-
SHA512
3959fa9aad11f6718caa9404cf51cd53809d165436790109dbcf15b04ccd60335dbc824ce5e1ec0fd762c4ac69c6fb3518bc13c8a953c08cce4b7c0cb41b2cc6
-
SSDEEP
6144:rKeacbD2RU5+csDgVortcBiWg3cPXblkqDHd16Z6Zm5rULuW1+inHsvzUHFYWg5l:r3y1/D+McxaZvkL1pHyzWPp4xje9
Malware Config
Extracted
asyncrat
| Edit 3LOSH RAT
Exodus_Market
leetboy.dynuddns.net:1339
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
svchos.exe
-
install_folder
%AppData%
Extracted
asyncrat
5.0.5
WDKILLER
blue.o7lab.me:4449
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x0008000000023259-15.dat family_asyncrat -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation go.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation start.exe -
Executes dropped EXE 3 IoCs
pid Process 3356 pop3.exe 1992 start.exe 4476 svchos.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3356 set thread context of 656 3356 pop3.exe 96 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1116 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2360 timeout.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 1992 start.exe 1992 start.exe 1992 start.exe 1992 start.exe 1992 start.exe 1992 start.exe 1992 start.exe 1992 start.exe 1992 start.exe 1992 start.exe 1992 start.exe 1992 start.exe 1992 start.exe 1992 start.exe 1992 start.exe 1992 start.exe 1992 start.exe 1992 start.exe 1992 start.exe 1992 start.exe 1992 start.exe 1992 start.exe 1992 start.exe 4476 svchos.exe 4476 svchos.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 656 msbuild.exe Token: SeDebugPrivilege 1992 start.exe Token: SeDebugPrivilege 4476 svchos.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4476 svchos.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 3668 wrote to memory of 3356 3668 go.exe 93 PID 3668 wrote to memory of 3356 3668 go.exe 93 PID 3668 wrote to memory of 1992 3668 go.exe 95 PID 3668 wrote to memory of 1992 3668 go.exe 95 PID 3668 wrote to memory of 1992 3668 go.exe 95 PID 3356 wrote to memory of 656 3356 pop3.exe 96 PID 3356 wrote to memory of 656 3356 pop3.exe 96 PID 3356 wrote to memory of 656 3356 pop3.exe 96 PID 3356 wrote to memory of 656 3356 pop3.exe 96 PID 3356 wrote to memory of 656 3356 pop3.exe 96 PID 3356 wrote to memory of 656 3356 pop3.exe 96 PID 3356 wrote to memory of 656 3356 pop3.exe 96 PID 3356 wrote to memory of 656 3356 pop3.exe 96 PID 3356 wrote to memory of 5116 3356 pop3.exe 97 PID 3356 wrote to memory of 5116 3356 pop3.exe 97 PID 3356 wrote to memory of 5116 3356 pop3.exe 97 PID 1992 wrote to memory of 4480 1992 start.exe 104 PID 1992 wrote to memory of 4480 1992 start.exe 104 PID 1992 wrote to memory of 4480 1992 start.exe 104 PID 1992 wrote to memory of 4516 1992 start.exe 106 PID 1992 wrote to memory of 4516 1992 start.exe 106 PID 1992 wrote to memory of 4516 1992 start.exe 106 PID 4516 wrote to memory of 2360 4516 cmd.exe 108 PID 4516 wrote to memory of 2360 4516 cmd.exe 108 PID 4516 wrote to memory of 2360 4516 cmd.exe 108 PID 4480 wrote to memory of 1116 4480 cmd.exe 109 PID 4480 wrote to memory of 1116 4480 cmd.exe 109 PID 4480 wrote to memory of 1116 4480 cmd.exe 109 PID 4516 wrote to memory of 4476 4516 cmd.exe 112 PID 4516 wrote to memory of 4476 4516 cmd.exe 112 PID 4516 wrote to memory of 4476 4516 cmd.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\go.exe"C:\Users\Admin\AppData\Local\Temp\go.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Users\Admin\AppData\Local\Temp\pop3.exe"C:\Users\Admin\AppData\Local\Temp\pop3.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:656
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"3⤵PID:5116
-
-
-
C:\Users\Admin\AppData\Local\Temp\start.exe"C:\Users\Admin\AppData\Local\Temp\start.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\Admin\AppData\Roaming\svchos.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\Admin\AppData\Roaming\svchos.exe"'4⤵
- Creates scheduled task(s)
PID:1116
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3E9A.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:2360
-
-
C:\Users\Admin\AppData\Roaming\svchos.exe"C:\Users\Admin\AppData\Roaming\svchos.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4476
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3972 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:81⤵PID:2536
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
442KB
MD58cd2675e19a8b1dccf0dbf082f42ab33
SHA13b6a8a51f53d8ec6e773f2a28f80fb003311597b
SHA256392ca70b63b6db8e0dc3aab0b6506169d5d9d2cad36598d037794be5a82bec09
SHA512b4260fe93196d71f38ab386a17db0ac91a1116ef155771f789579d3150b4c74abb23f289bc042ced1fe7b905f1f1645435837223b3ca331d1e1d55c7eb4a5711
-
Filesize
63KB
MD5c1ade258f05c512e98ebc4d9d1165f8a
SHA1acf20f6a7dc7841ae06f801b887289fdc99e0488
SHA256447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759
SHA5125b652e0ef6293d7baeb7e9d8b79322ec65e98d748e1df492099fa6692d0bbc78f032df68e7028a28af06b5c27394456159351a6469fdaf777e6eb98609331076
-
Filesize
150B
MD5cdbc760d8d749db47f4317c336c05d43
SHA1d40fb4cdee015e750d21503fd775a4b851dce354
SHA2563bbd9784ad469fa8e6eece6a14021b943ff50f27e893a8d6d315690ecfa60ae7
SHA5128805e175a559d72be4290f3aea1785d8ef6f64e3f4fb0be8b0165eeb2402cc6d97ed64bde54448974275f089dc4944436e4c8a37aeca4c70a64634bbb7c52763