Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05/04/2024, 14:35
Behavioral task
behavioral1
Sample
xtPT79JKvvlE.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
xtPT79JKvvlE.exe
Resource
win10v2004-20240226-en
General
-
Target
xtPT79JKvvlE.exe
-
Size
47KB
-
MD5
6657934f52a0686aefcfac430c49eb6c
-
SHA1
e803dc674a183866df2ea7c732bd6ce288e4d273
-
SHA256
a89667a64a05760547dd5b7f8a87181fb145a48ed2492392918e653c7e5bb9a6
-
SHA512
5d0991ccd328d04ee99136c08ecf6ce17d1d557e0b44a7df55a553002c61aaef3a018fdbc90e2a0ca21bd13ef26865e6a8a95d541feb1a827c101a7378703cf5
-
SSDEEP
768:oq+s3pUtDILNCCa+DimriAPYb+geRHuPkqgmvEgK/JfZVc6KN:oq+AGtQOgQbBJtnkJfZVclN
Malware Config
Extracted
asyncrat
1.0.7
PROMESAS NEW 05
promesasalvaro1.duckdns.org:7091
DcRatMutex_qwqdanchun
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Deletes itself 1 IoCs
pid Process 776 cmd.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1972 timeout.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2364 xtPT79JKvvlE.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2364 wrote to memory of 776 2364 xtPT79JKvvlE.exe 29 PID 2364 wrote to memory of 776 2364 xtPT79JKvvlE.exe 29 PID 2364 wrote to memory of 776 2364 xtPT79JKvvlE.exe 29 PID 776 wrote to memory of 1972 776 cmd.exe 31 PID 776 wrote to memory of 1972 776 cmd.exe 31 PID 776 wrote to memory of 1972 776 cmd.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\xtPT79JKvvlE.exe"C:\Users\Admin\AppData\Local\Temp\xtPT79JKvvlE.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp54CC.tmp.bat""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:1972
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
164B
MD54b08e5044caa4847e5f2dd7f975d5e18
SHA1d3025efd1e5d2b6c5b383e70e9c4897835174dd8
SHA2561d5d55a83c03d8d04535219573e30300152d7ed53fde26057f8fec26d79ebee4
SHA512d589a8cbce77b1315dee5343fe96ba0ef35133090eda0f4eddcce548d54aa071f1fcbf2452781d97fb7009648271d38137e7467d5a2282b93d1ead17f81e74f7