Analysis
-
max time kernel
130s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
16-04-2024 23:10
Behavioral task
behavioral1
Sample
Svchost.exe
Resource
win7-20240220-en
General
-
Target
Svchost.exe
-
Size
48KB
-
MD5
2c01d39807db97c023bed5a537afc7d1
-
SHA1
fb5cae1a4c68278631803413a34182141b85c4a2
-
SHA256
3f5d4db207164b474b8db3b278f7d9646145181a8211e6c851f1a40aec05a9c4
-
SHA512
367256dd718596de7b89b0a910a96194dd7514eb83eb8670dea83326af63564dc1e9952142903203e2df876531ea034921c0e82616f7836f0125b8e3026744f7
-
SSDEEP
768:KuwhFTAY3IQWUe9jqmo2qLfRjDp0pCFUUgPIPJnPCZ01h0bqmHZIUmTT6FkHZBcG:KuwhFTA4/2c5DSC/FPJPCZJbqiy/H2kd
Malware Config
Extracted
asyncrat
0.5.8
Default
report-dust.gl.at.ply.gg:28329
report-dust.gl.at.ply.gg:8188
9VMpESMh922h
-
delay
3
-
install
true
-
install_file
Svchost.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x000b000000013a88-13.dat family_asyncrat -
Executes dropped EXE 1 IoCs
pid Process 2552 Svchost.exe -
Loads dropped DLL 1 IoCs
pid Process 2932 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2600 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2604 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2768 Svchost.exe 2768 Svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2768 Svchost.exe Token: SeDebugPrivilege 2552 Svchost.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2768 wrote to memory of 2888 2768 Svchost.exe 28 PID 2768 wrote to memory of 2888 2768 Svchost.exe 28 PID 2768 wrote to memory of 2888 2768 Svchost.exe 28 PID 2768 wrote to memory of 2888 2768 Svchost.exe 28 PID 2768 wrote to memory of 2932 2768 Svchost.exe 30 PID 2768 wrote to memory of 2932 2768 Svchost.exe 30 PID 2768 wrote to memory of 2932 2768 Svchost.exe 30 PID 2768 wrote to memory of 2932 2768 Svchost.exe 30 PID 2932 wrote to memory of 2604 2932 cmd.exe 33 PID 2932 wrote to memory of 2604 2932 cmd.exe 33 PID 2932 wrote to memory of 2604 2932 cmd.exe 33 PID 2932 wrote to memory of 2604 2932 cmd.exe 33 PID 2888 wrote to memory of 2600 2888 cmd.exe 32 PID 2888 wrote to memory of 2600 2888 cmd.exe 32 PID 2888 wrote to memory of 2600 2888 cmd.exe 32 PID 2888 wrote to memory of 2600 2888 cmd.exe 32 PID 2932 wrote to memory of 2552 2932 cmd.exe 34 PID 2932 wrote to memory of 2552 2932 cmd.exe 34 PID 2932 wrote to memory of 2552 2932 cmd.exe 34 PID 2932 wrote to memory of 2552 2932 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\Svchost.exe"C:\Users\Admin\AppData\Local\Temp\Svchost.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Svchost" /tr '"C:\Users\Admin\AppData\Roaming\Svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Svchost" /tr '"C:\Users\Admin\AppData\Roaming\Svchost.exe"'3⤵
- Creates scheduled task(s)
PID:2600
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2B16.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2604
-
-
C:\Users\Admin\AppData\Roaming\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151B
MD5784b474e86b57a6bb8f94720762a716d
SHA1133b7be4cac95a9a6f191dff492933fd478e53af
SHA256bb3294443605215973837367c4934912c2f6d21e2be54caa7d38ca888d8af492
SHA5128b8be5521a8f82942d44a03e57f0955516f4d9a77063a8e7a3cdf0dcb25444c6f1e27c3e1223f4eab8f6ac154a7055bd7f62b3dfa7ced4caebc14f09ae772356
-
Filesize
48KB
MD52c01d39807db97c023bed5a537afc7d1
SHA1fb5cae1a4c68278631803413a34182141b85c4a2
SHA2563f5d4db207164b474b8db3b278f7d9646145181a8211e6c851f1a40aec05a9c4
SHA512367256dd718596de7b89b0a910a96194dd7514eb83eb8670dea83326af63564dc1e9952142903203e2df876531ea034921c0e82616f7836f0125b8e3026744f7