Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
16-04-2024 23:10
Behavioral task
behavioral1
Sample
Svchost.exe
Resource
win7-20240220-en
General
-
Target
Svchost.exe
-
Size
48KB
-
MD5
2c01d39807db97c023bed5a537afc7d1
-
SHA1
fb5cae1a4c68278631803413a34182141b85c4a2
-
SHA256
3f5d4db207164b474b8db3b278f7d9646145181a8211e6c851f1a40aec05a9c4
-
SHA512
367256dd718596de7b89b0a910a96194dd7514eb83eb8670dea83326af63564dc1e9952142903203e2df876531ea034921c0e82616f7836f0125b8e3026744f7
-
SSDEEP
768:KuwhFTAY3IQWUe9jqmo2qLfRjDp0pCFUUgPIPJnPCZ01h0bqmHZIUmTT6FkHZBcG:KuwhFTA4/2c5DSC/FPJPCZJbqiy/H2kd
Malware Config
Extracted
asyncrat
0.5.8
Default
report-dust.gl.at.ply.gg:28329
report-dust.gl.at.ply.gg:8188
9VMpESMh922h
-
delay
3
-
install
true
-
install_file
Svchost.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x0008000000023402-10.dat family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation Svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 3616 Svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5028 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2016 timeout.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 1620 Svchost.exe 1620 Svchost.exe 1620 Svchost.exe 1620 Svchost.exe 1620 Svchost.exe 1620 Svchost.exe 1620 Svchost.exe 1620 Svchost.exe 1620 Svchost.exe 1620 Svchost.exe 1620 Svchost.exe 1620 Svchost.exe 1620 Svchost.exe 1620 Svchost.exe 1620 Svchost.exe 1620 Svchost.exe 1620 Svchost.exe 1620 Svchost.exe 1620 Svchost.exe 1620 Svchost.exe 1620 Svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1620 Svchost.exe Token: SeDebugPrivilege 3616 Svchost.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1620 wrote to memory of 1524 1620 Svchost.exe 89 PID 1620 wrote to memory of 1524 1620 Svchost.exe 89 PID 1620 wrote to memory of 1524 1620 Svchost.exe 89 PID 1620 wrote to memory of 4692 1620 Svchost.exe 91 PID 1620 wrote to memory of 4692 1620 Svchost.exe 91 PID 1620 wrote to memory of 4692 1620 Svchost.exe 91 PID 1524 wrote to memory of 5028 1524 cmd.exe 93 PID 1524 wrote to memory of 5028 1524 cmd.exe 93 PID 1524 wrote to memory of 5028 1524 cmd.exe 93 PID 4692 wrote to memory of 2016 4692 cmd.exe 94 PID 4692 wrote to memory of 2016 4692 cmd.exe 94 PID 4692 wrote to memory of 2016 4692 cmd.exe 94 PID 4692 wrote to memory of 3616 4692 cmd.exe 95 PID 4692 wrote to memory of 3616 4692 cmd.exe 95 PID 4692 wrote to memory of 3616 4692 cmd.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\Svchost.exe"C:\Users\Admin\AppData\Local\Temp\Svchost.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Svchost" /tr '"C:\Users\Admin\AppData\Roaming\Svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Svchost" /tr '"C:\Users\Admin\AppData\Roaming\Svchost.exe"'3⤵
- Creates scheduled task(s)
PID:5028
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9172.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2016
-
-
C:\Users\Admin\AppData\Roaming\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3616
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
522B
MD5acc9090417037dfa2a55b46ed86e32b8
SHA153fa6fb25fb3e88c24d2027aca6ae492b2800a4d
SHA2562412679218bb0a7d05ceee32869bbb223619bde9966c4c460a68304a3367724b
SHA512d51f7085ec147c708f446b9fb6923cd2fb64596d354ed929e125b30ace57c8cb3217589447a36960e5d3aea87a4e48aaa82c7509eced6d6c2cecd71fcfe3697b
-
Filesize
151B
MD52716c60c7864fd71a835bca7427a0f5d
SHA1a46e8a531f195a74ed42bdf6a898923cc96b6230
SHA25613b7d8ce251b41beb9390867a4765063239a328bf730d363fdd915e021cd2f22
SHA512d1e4675311d21657efc94c7c670900d28e5d0fcc9fbfa7b03eee0a5a6e9c3921050e27f816152485824c2c4eb76f6676c684967a96b2209fcfccd4330b5951eb
-
Filesize
48KB
MD52c01d39807db97c023bed5a537afc7d1
SHA1fb5cae1a4c68278631803413a34182141b85c4a2
SHA2563f5d4db207164b474b8db3b278f7d9646145181a8211e6c851f1a40aec05a9c4
SHA512367256dd718596de7b89b0a910a96194dd7514eb83eb8670dea83326af63564dc1e9952142903203e2df876531ea034921c0e82616f7836f0125b8e3026744f7