Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
02/04/2024, 13:14
Static task
static1
Behavioral task
behavioral1
Sample
5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe
Resource
win10v2004-20240226-en
General
-
Target
5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe
-
Size
510KB
-
MD5
7f264ba8e4c519ce90c6e3b430945476
-
SHA1
4e18269b4c70931dcad3f7ca58e4f5db00411549
-
SHA256
5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f
-
SHA512
3959fa9aad11f6718caa9404cf51cd53809d165436790109dbcf15b04ccd60335dbc824ce5e1ec0fd762c4ac69c6fb3518bc13c8a953c08cce4b7c0cb41b2cc6
-
SSDEEP
6144:rKeacbD2RU5+csDgVortcBiWg3cPXblkqDHd16Z6Zm5rULuW1+inHsvzUHFYWg5l:r3y1/D+McxaZvkL1pHyzWPp4xje9
Malware Config
Extracted
asyncrat
| Edit 3LOSH RAT
Exodus_Market
leetboy.dynuddns.net:1339
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
svchos.exe
-
install_folder
%AppData%
Extracted
asyncrat
5.0.5
WDKILLER
blue.o7lab.me:4449
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x000800000001220a-8.dat family_asyncrat -
Executes dropped EXE 3 IoCs
pid Process 2916 pop3.exe 1164 start.exe 1924 svchos.exe -
Loads dropped DLL 8 IoCs
pid Process 2368 5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe 2368 5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe 2572 WerFault.exe 2572 WerFault.exe 2572 WerFault.exe 2572 WerFault.exe 2572 WerFault.exe 2488 cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2916 set thread context of 2764 2916 pop3.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2912 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2192 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1164 start.exe 1164 start.exe 1164 start.exe 1924 svchos.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2764 CasPol.exe Token: SeDebugPrivilege 1164 start.exe Token: SeDebugPrivilege 1924 svchos.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1924 svchos.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 2368 wrote to memory of 2916 2368 5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe 28 PID 2368 wrote to memory of 2916 2368 5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe 28 PID 2368 wrote to memory of 2916 2368 5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe 28 PID 2368 wrote to memory of 2916 2368 5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe 28 PID 2368 wrote to memory of 1164 2368 5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe 29 PID 2368 wrote to memory of 1164 2368 5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe 29 PID 2368 wrote to memory of 1164 2368 5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe 29 PID 2368 wrote to memory of 1164 2368 5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe 29 PID 2916 wrote to memory of 2764 2916 pop3.exe 30 PID 2916 wrote to memory of 2764 2916 pop3.exe 30 PID 2916 wrote to memory of 2764 2916 pop3.exe 30 PID 2916 wrote to memory of 2764 2916 pop3.exe 30 PID 2916 wrote to memory of 2764 2916 pop3.exe 30 PID 2916 wrote to memory of 2764 2916 pop3.exe 30 PID 2916 wrote to memory of 2764 2916 pop3.exe 30 PID 2916 wrote to memory of 2764 2916 pop3.exe 30 PID 2916 wrote to memory of 2764 2916 pop3.exe 30 PID 2916 wrote to memory of 2572 2916 pop3.exe 31 PID 2916 wrote to memory of 2572 2916 pop3.exe 31 PID 2916 wrote to memory of 2572 2916 pop3.exe 31 PID 1164 wrote to memory of 2476 1164 start.exe 32 PID 1164 wrote to memory of 2476 1164 start.exe 32 PID 1164 wrote to memory of 2476 1164 start.exe 32 PID 1164 wrote to memory of 2476 1164 start.exe 32 PID 1164 wrote to memory of 2488 1164 start.exe 34 PID 1164 wrote to memory of 2488 1164 start.exe 34 PID 1164 wrote to memory of 2488 1164 start.exe 34 PID 1164 wrote to memory of 2488 1164 start.exe 34 PID 2488 wrote to memory of 2192 2488 cmd.exe 36 PID 2488 wrote to memory of 2192 2488 cmd.exe 36 PID 2488 wrote to memory of 2192 2488 cmd.exe 36 PID 2488 wrote to memory of 2192 2488 cmd.exe 36 PID 2476 wrote to memory of 2912 2476 cmd.exe 37 PID 2476 wrote to memory of 2912 2476 cmd.exe 37 PID 2476 wrote to memory of 2912 2476 cmd.exe 37 PID 2476 wrote to memory of 2912 2476 cmd.exe 37 PID 2488 wrote to memory of 1924 2488 cmd.exe 38 PID 2488 wrote to memory of 1924 2488 cmd.exe 38 PID 2488 wrote to memory of 1924 2488 cmd.exe 38 PID 2488 wrote to memory of 1924 2488 cmd.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe"C:\Users\Admin\AppData\Local\Temp\5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\pop3.exe"C:\Users\Admin\AppData\Local\Temp\pop3.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2916 -s 7203⤵
- Loads dropped DLL
PID:2572
-
-
-
C:\Users\Admin\AppData\Local\Temp\start.exe"C:\Users\Admin\AppData\Local\Temp\start.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\Admin\AppData\Roaming\svchos.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\Admin\AppData\Roaming\svchos.exe"'4⤵
- Creates scheduled task(s)
PID:2912
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp50EE.tmp.bat""3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:2192
-
-
C:\Users\Admin\AppData\Roaming\svchos.exe"C:\Users\Admin\AppData\Roaming\svchos.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1924
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
150B
MD55f0ea4f1a80e9bd1ddbaa93f3d91c71f
SHA112e268a8c19708efe6c1636849b610a4f874c575
SHA2561d94fc6ac7c1d43e011431e4f5f3474fceaffe9f7d4901d65b74d5d170ba50ee
SHA512bb16ba9bf6f58e0753743e3904d18eae0ff0c6812d8b22a5ab8bc0b1d9f75c9922c45918001761b13b9bc829dde3f0c599c5d0caaeeb4d4fb7ceee153a11098c
-
Filesize
442KB
MD58cd2675e19a8b1dccf0dbf082f42ab33
SHA13b6a8a51f53d8ec6e773f2a28f80fb003311597b
SHA256392ca70b63b6db8e0dc3aab0b6506169d5d9d2cad36598d037794be5a82bec09
SHA512b4260fe93196d71f38ab386a17db0ac91a1116ef155771f789579d3150b4c74abb23f289bc042ced1fe7b905f1f1645435837223b3ca331d1e1d55c7eb4a5711
-
Filesize
63KB
MD5c1ade258f05c512e98ebc4d9d1165f8a
SHA1acf20f6a7dc7841ae06f801b887289fdc99e0488
SHA256447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759
SHA5125b652e0ef6293d7baeb7e9d8b79322ec65e98d748e1df492099fa6692d0bbc78f032df68e7028a28af06b5c27394456159351a6469fdaf777e6eb98609331076