Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/04/2024, 11:27
Static task
static1
Behavioral task
behavioral1
Sample
5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe
Resource
win10v2004-20240226-en
General
-
Target
5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe
-
Size
510KB
-
MD5
7f264ba8e4c519ce90c6e3b430945476
-
SHA1
4e18269b4c70931dcad3f7ca58e4f5db00411549
-
SHA256
5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f
-
SHA512
3959fa9aad11f6718caa9404cf51cd53809d165436790109dbcf15b04ccd60335dbc824ce5e1ec0fd762c4ac69c6fb3518bc13c8a953c08cce4b7c0cb41b2cc6
-
SSDEEP
6144:rKeacbD2RU5+csDgVortcBiWg3cPXblkqDHd16Z6Zm5rULuW1+inHsvzUHFYWg5l:r3y1/D+McxaZvkL1pHyzWPp4xje9
Malware Config
Extracted
asyncrat
| Edit 3LOSH RAT
Exodus_Market
leetboy.dynuddns.net:1339
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
svchos.exe
-
install_folder
%AppData%
Extracted
asyncrat
5.0.5
WDKILLER
blue.o7lab.me:4449
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x000a000000015cb6-8.dat family_asyncrat -
Executes dropped EXE 3 IoCs
pid Process 3040 pop3.exe 2144 start.exe 764 svchos.exe -
Loads dropped DLL 3 IoCs
pid Process 2960 5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe 2960 5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe 2900 cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3040 set thread context of 2700 3040 pop3.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2136 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 308 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2144 start.exe 2144 start.exe 2144 start.exe 764 svchos.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2700 CasPol.exe Token: SeDebugPrivilege 2144 start.exe Token: SeDebugPrivilege 764 svchos.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 764 svchos.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 2960 wrote to memory of 3040 2960 5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe 28 PID 2960 wrote to memory of 3040 2960 5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe 28 PID 2960 wrote to memory of 3040 2960 5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe 28 PID 2960 wrote to memory of 3040 2960 5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe 28 PID 2960 wrote to memory of 2144 2960 5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe 29 PID 2960 wrote to memory of 2144 2960 5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe 29 PID 2960 wrote to memory of 2144 2960 5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe 29 PID 2960 wrote to memory of 2144 2960 5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe 29 PID 3040 wrote to memory of 2548 3040 pop3.exe 30 PID 3040 wrote to memory of 2548 3040 pop3.exe 30 PID 3040 wrote to memory of 2548 3040 pop3.exe 30 PID 3040 wrote to memory of 2548 3040 pop3.exe 30 PID 3040 wrote to memory of 2548 3040 pop3.exe 30 PID 3040 wrote to memory of 2548 3040 pop3.exe 30 PID 3040 wrote to memory of 2548 3040 pop3.exe 30 PID 3040 wrote to memory of 2548 3040 pop3.exe 30 PID 3040 wrote to memory of 2700 3040 pop3.exe 31 PID 3040 wrote to memory of 2700 3040 pop3.exe 31 PID 3040 wrote to memory of 2700 3040 pop3.exe 31 PID 3040 wrote to memory of 2700 3040 pop3.exe 31 PID 3040 wrote to memory of 2700 3040 pop3.exe 31 PID 3040 wrote to memory of 2700 3040 pop3.exe 31 PID 3040 wrote to memory of 2700 3040 pop3.exe 31 PID 3040 wrote to memory of 2700 3040 pop3.exe 31 PID 3040 wrote to memory of 2700 3040 pop3.exe 31 PID 3040 wrote to memory of 2712 3040 pop3.exe 32 PID 3040 wrote to memory of 2712 3040 pop3.exe 32 PID 3040 wrote to memory of 2712 3040 pop3.exe 32 PID 3040 wrote to memory of 2712 3040 pop3.exe 32 PID 2144 wrote to memory of 2424 2144 start.exe 33 PID 2144 wrote to memory of 2424 2144 start.exe 33 PID 2144 wrote to memory of 2424 2144 start.exe 33 PID 2144 wrote to memory of 2424 2144 start.exe 33 PID 2144 wrote to memory of 2900 2144 start.exe 35 PID 2144 wrote to memory of 2900 2144 start.exe 35 PID 2144 wrote to memory of 2900 2144 start.exe 35 PID 2144 wrote to memory of 2900 2144 start.exe 35 PID 2424 wrote to memory of 2136 2424 cmd.exe 37 PID 2424 wrote to memory of 2136 2424 cmd.exe 37 PID 2424 wrote to memory of 2136 2424 cmd.exe 37 PID 2424 wrote to memory of 2136 2424 cmd.exe 37 PID 2900 wrote to memory of 308 2900 cmd.exe 38 PID 2900 wrote to memory of 308 2900 cmd.exe 38 PID 2900 wrote to memory of 308 2900 cmd.exe 38 PID 2900 wrote to memory of 308 2900 cmd.exe 38 PID 2900 wrote to memory of 764 2900 cmd.exe 39 PID 2900 wrote to memory of 764 2900 cmd.exe 39 PID 2900 wrote to memory of 764 2900 cmd.exe 39 PID 2900 wrote to memory of 764 2900 cmd.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe"C:\Users\Admin\AppData\Local\Temp\5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Users\Admin\AppData\Local\Temp\pop3.exe"C:\Users\Admin\AppData\Local\Temp\pop3.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"3⤵PID:2548
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"3⤵PID:2712
-
-
-
C:\Users\Admin\AppData\Local\Temp\start.exe"C:\Users\Admin\AppData\Local\Temp\start.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\Admin\AppData\Roaming\svchos.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\Admin\AppData\Roaming\svchos.exe"'4⤵
- Creates scheduled task(s)
PID:2136
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp35DF.tmp.bat""3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:308
-
-
C:\Users\Admin\AppData\Roaming\svchos.exe"C:\Users\Admin\AppData\Roaming\svchos.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:764
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
150B
MD5243d7a1f9e26bb0287f93f639f88edf9
SHA17adff0b796ccfc3cdb70aa6cf0e1c1ee173dfd22
SHA25609323dc20ed1d5465513490acd5e067851814cb7bb750d83ba5e92470a90995e
SHA5120a68a4428e889dccc5a0d1986ba6eff1a0980f4b267a66350d2696d906112e0080c3a0c1904d24d88974a403dc29f4e2f4e543e8c3ca0271f1adeb9d239cae2f
-
Filesize
442KB
MD58cd2675e19a8b1dccf0dbf082f42ab33
SHA13b6a8a51f53d8ec6e773f2a28f80fb003311597b
SHA256392ca70b63b6db8e0dc3aab0b6506169d5d9d2cad36598d037794be5a82bec09
SHA512b4260fe93196d71f38ab386a17db0ac91a1116ef155771f789579d3150b4c74abb23f289bc042ced1fe7b905f1f1645435837223b3ca331d1e1d55c7eb4a5711
-
Filesize
63KB
MD5c1ade258f05c512e98ebc4d9d1165f8a
SHA1acf20f6a7dc7841ae06f801b887289fdc99e0488
SHA256447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759
SHA5125b652e0ef6293d7baeb7e9d8b79322ec65e98d748e1df492099fa6692d0bbc78f032df68e7028a28af06b5c27394456159351a6469fdaf777e6eb98609331076