Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17-04-2024 04:42
Behavioral task
behavioral1
Sample
0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe
Resource
win10v2004-20240412-en
General
-
Target
0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe
-
Size
48KB
-
MD5
7fd8581748cdf137023ef96f1286ce0f
-
SHA1
c640bcbbebbe62c2a58235d1e6f9ec7eeb99387a
-
SHA256
0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6
-
SHA512
bd4c7c3f646e4685fc750f69ca5b9af6d542ee4d22db1b9ae3b379b659d415e3f9895bde81f40448f927662ede5cd87fe0f85234134b519c9aa7900f1b811282
-
SSDEEP
1536:AuLN+Twip21CyEHq3LbAMZhgwaBOcd8L:AuLMTwip21CyEHq3LbAKhgCceL
Malware Config
Extracted
asyncrat
0.5.8
Default
94.228.162.82:6606
94.228.162.82:7707
94.228.162.82:8808
YBc01FE5mcOd
-
delay
3
-
install
true
-
install_file
appBroker.exe
-
install_folder
%AppData%
Signatures
-
Detect ZGRat V1 2 IoCs
resource yara_rule behavioral1/memory/4808-18-0x0000000006520000-0x00000000065BC000-memory.dmp family_zgrat_v1 behavioral1/memory/4808-23-0x0000000006830000-0x0000000006892000-memory.dmp family_zgrat_v1 -
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x00090000000233dd-11.dat family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe -
Executes dropped EXE 1 IoCs
pid Process 4808 appBroker.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2284 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 656 timeout.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 1052 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 1052 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 1052 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 1052 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 1052 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 1052 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 1052 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 1052 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 1052 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 1052 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 1052 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 1052 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 1052 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 1052 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 1052 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 1052 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 1052 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 1052 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 1052 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1052 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe Token: SeDebugPrivilege 4808 appBroker.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1052 wrote to memory of 812 1052 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 84 PID 1052 wrote to memory of 812 1052 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 84 PID 1052 wrote to memory of 812 1052 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 84 PID 1052 wrote to memory of 5028 1052 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 86 PID 1052 wrote to memory of 5028 1052 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 86 PID 1052 wrote to memory of 5028 1052 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 86 PID 812 wrote to memory of 2284 812 cmd.exe 88 PID 812 wrote to memory of 2284 812 cmd.exe 88 PID 812 wrote to memory of 2284 812 cmd.exe 88 PID 5028 wrote to memory of 656 5028 cmd.exe 89 PID 5028 wrote to memory of 656 5028 cmd.exe 89 PID 5028 wrote to memory of 656 5028 cmd.exe 89 PID 5028 wrote to memory of 4808 5028 cmd.exe 90 PID 5028 wrote to memory of 4808 5028 cmd.exe 90 PID 5028 wrote to memory of 4808 5028 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe"C:\Users\Admin\AppData\Local\Temp\0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"'3⤵
- Creates scheduled task(s)
PID:2284
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7DAC.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:656
-
-
C:\Users\Admin\AppData\Roaming\appBroker.exe"C:\Users\Admin\AppData\Roaming\appBroker.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4808
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD59102efff7ef4c31b72499335be0f937a
SHA1a844934be10de22c97fa655caf31d8435ea6f86e
SHA256d22f703c29826dbce99f5d8650712c2b0cd71c9213ab27fdb4506aaf7f804254
SHA5127423e7e416406c0f3de3a60f03482962c70bc14af0b0110df4c7fcb5f5c549bca66e28c0d59ed318ad163ef50b66dafc4e982b6a36182d2b667a9fd2d608836d
-
Filesize
48KB
MD57fd8581748cdf137023ef96f1286ce0f
SHA1c640bcbbebbe62c2a58235d1e6f9ec7eeb99387a
SHA2560b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6
SHA512bd4c7c3f646e4685fc750f69ca5b9af6d542ee4d22db1b9ae3b379b659d415e3f9895bde81f40448f927662ede5cd87fe0f85234134b519c9aa7900f1b811282