Analysis
-
max time kernel
147s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/04/2024, 13:14
Static task
static1
Behavioral task
behavioral1
Sample
5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe
Resource
win10v2004-20240226-en
General
-
Target
5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe
-
Size
510KB
-
MD5
7f264ba8e4c519ce90c6e3b430945476
-
SHA1
4e18269b4c70931dcad3f7ca58e4f5db00411549
-
SHA256
5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f
-
SHA512
3959fa9aad11f6718caa9404cf51cd53809d165436790109dbcf15b04ccd60335dbc824ce5e1ec0fd762c4ac69c6fb3518bc13c8a953c08cce4b7c0cb41b2cc6
-
SSDEEP
6144:rKeacbD2RU5+csDgVortcBiWg3cPXblkqDHd16Z6Zm5rULuW1+inHsvzUHFYWg5l:r3y1/D+McxaZvkL1pHyzWPp4xje9
Malware Config
Extracted
asyncrat
| Edit 3LOSH RAT
Exodus_Market
leetboy.dynuddns.net:1339
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
svchos.exe
-
install_folder
%AppData%
Extracted
asyncrat
5.0.5
WDKILLER
blue.o7lab.me:4449
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 2 IoCs
resource yara_rule behavioral2/files/0x0008000000023349-15.dat family_asyncrat behavioral2/memory/396-51-0x0000000004A30000-0x0000000004A40000-memory.dmp family_asyncrat -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation 5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation start.exe -
Executes dropped EXE 3 IoCs
pid Process 536 pop3.exe 4248 start.exe 396 svchos.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 536 set thread context of 3808 536 pop3.exe 97 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3420 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4948 timeout.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 4248 start.exe 4248 start.exe 4248 start.exe 4248 start.exe 4248 start.exe 4248 start.exe 4248 start.exe 4248 start.exe 4248 start.exe 4248 start.exe 4248 start.exe 4248 start.exe 4248 start.exe 4248 start.exe 4248 start.exe 4248 start.exe 4248 start.exe 4248 start.exe 4248 start.exe 4248 start.exe 4248 start.exe 4248 start.exe 4248 start.exe 4248 start.exe 396 svchos.exe 396 svchos.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3808 jsc.exe Token: SeDebugPrivilege 4248 start.exe Token: SeDebugPrivilege 396 svchos.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 396 svchos.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 3292 wrote to memory of 536 3292 5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe 94 PID 3292 wrote to memory of 536 3292 5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe 94 PID 3292 wrote to memory of 4248 3292 5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe 95 PID 3292 wrote to memory of 4248 3292 5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe 95 PID 3292 wrote to memory of 4248 3292 5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe 95 PID 536 wrote to memory of 3808 536 pop3.exe 97 PID 536 wrote to memory of 3808 536 pop3.exe 97 PID 536 wrote to memory of 3808 536 pop3.exe 97 PID 536 wrote to memory of 3808 536 pop3.exe 97 PID 536 wrote to memory of 3808 536 pop3.exe 97 PID 536 wrote to memory of 3808 536 pop3.exe 97 PID 536 wrote to memory of 3808 536 pop3.exe 97 PID 536 wrote to memory of 3808 536 pop3.exe 97 PID 536 wrote to memory of 5064 536 pop3.exe 98 PID 536 wrote to memory of 5064 536 pop3.exe 98 PID 536 wrote to memory of 5064 536 pop3.exe 98 PID 4248 wrote to memory of 2552 4248 start.exe 106 PID 4248 wrote to memory of 2552 4248 start.exe 106 PID 4248 wrote to memory of 2552 4248 start.exe 106 PID 4248 wrote to memory of 1384 4248 start.exe 107 PID 4248 wrote to memory of 1384 4248 start.exe 107 PID 4248 wrote to memory of 1384 4248 start.exe 107 PID 1384 wrote to memory of 4948 1384 cmd.exe 110 PID 1384 wrote to memory of 4948 1384 cmd.exe 110 PID 1384 wrote to memory of 4948 1384 cmd.exe 110 PID 2552 wrote to memory of 3420 2552 cmd.exe 111 PID 2552 wrote to memory of 3420 2552 cmd.exe 111 PID 2552 wrote to memory of 3420 2552 cmd.exe 111 PID 1384 wrote to memory of 396 1384 cmd.exe 112 PID 1384 wrote to memory of 396 1384 cmd.exe 112 PID 1384 wrote to memory of 396 1384 cmd.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe"C:\Users\Admin\AppData\Local\Temp\5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Users\Admin\AppData\Local\Temp\pop3.exe"C:\Users\Admin\AppData\Local\Temp\pop3.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3808
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"3⤵PID:5064
-
-
-
C:\Users\Admin\AppData\Local\Temp\start.exe"C:\Users\Admin\AppData\Local\Temp\start.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\Admin\AppData\Roaming\svchos.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\Admin\AppData\Roaming\svchos.exe"'4⤵
- Creates scheduled task(s)
PID:3420
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp91D0.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:4948
-
-
C:\Users\Admin\AppData\Roaming\svchos.exe"C:\Users\Admin\AppData\Roaming\svchos.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:396
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1404 --field-trial-handle=3488,i,1267426273081718772,6254127258555406296,262144 --variations-seed-version /prefetch:81⤵PID:5040
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
442KB
MD58cd2675e19a8b1dccf0dbf082f42ab33
SHA13b6a8a51f53d8ec6e773f2a28f80fb003311597b
SHA256392ca70b63b6db8e0dc3aab0b6506169d5d9d2cad36598d037794be5a82bec09
SHA512b4260fe93196d71f38ab386a17db0ac91a1116ef155771f789579d3150b4c74abb23f289bc042ced1fe7b905f1f1645435837223b3ca331d1e1d55c7eb4a5711
-
Filesize
63KB
MD5c1ade258f05c512e98ebc4d9d1165f8a
SHA1acf20f6a7dc7841ae06f801b887289fdc99e0488
SHA256447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759
SHA5125b652e0ef6293d7baeb7e9d8b79322ec65e98d748e1df492099fa6692d0bbc78f032df68e7028a28af06b5c27394456159351a6469fdaf777e6eb98609331076
-
Filesize
150B
MD5799380b82bcd2097f0b3ec01f168b027
SHA1a2f7f745751869e748a72d5cbc8e8148d05c15d0
SHA2562d629508dfb8dc7efce22bdd72fb9f83cbabcdf7e0f0331026dc667aec4b9ab2
SHA5120d287881600fb00f92bfe3c6948a28373bb7e60b7c5beb51eb086d4cfc8203e9e650846442fe09a2ccad556d76c8c7a2426ae03ab9bd86235d2537feced6d0af