Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
17-04-2024 04:42
Behavioral task
behavioral1
Sample
0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe
Resource
win10v2004-20240412-en
General
-
Target
0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe
-
Size
48KB
-
MD5
7fd8581748cdf137023ef96f1286ce0f
-
SHA1
c640bcbbebbe62c2a58235d1e6f9ec7eeb99387a
-
SHA256
0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6
-
SHA512
bd4c7c3f646e4685fc750f69ca5b9af6d542ee4d22db1b9ae3b379b659d415e3f9895bde81f40448f927662ede5cd87fe0f85234134b519c9aa7900f1b811282
-
SSDEEP
1536:AuLN+Twip21CyEHq3LbAMZhgwaBOcd8L:AuLMTwip21CyEHq3LbAKhgCceL
Malware Config
Extracted
asyncrat
0.5.8
Default
94.228.162.82:6606
94.228.162.82:7707
94.228.162.82:8808
YBc01FE5mcOd
-
delay
3
-
install
true
-
install_file
appBroker.exe
-
install_folder
%AppData%
Signatures
-
Detect ZGRat V1 2 IoCs
resource yara_rule behavioral2/memory/628-18-0x0000000006B10000-0x0000000006BAC000-memory.dmp family_zgrat_v1 behavioral2/memory/628-23-0x0000000006E10000-0x0000000006E72000-memory.dmp family_zgrat_v1 -
Async RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x000700000002a972-11.dat family_asyncrat -
Executes dropped EXE 1 IoCs
pid Process 628 appBroker.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2980 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3964 timeout.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 4132 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 4132 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 4132 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 4132 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 4132 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 4132 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 4132 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 4132 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 4132 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 4132 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 4132 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 4132 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 4132 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 4132 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 4132 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 4132 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 4132 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 4132 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 4132 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4132 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe Token: SeDebugPrivilege 628 appBroker.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4132 wrote to memory of 1760 4132 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 78 PID 4132 wrote to memory of 1760 4132 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 78 PID 4132 wrote to memory of 1760 4132 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 78 PID 4132 wrote to memory of 4948 4132 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 80 PID 4132 wrote to memory of 4948 4132 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 80 PID 4132 wrote to memory of 4948 4132 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe 80 PID 1760 wrote to memory of 2980 1760 cmd.exe 82 PID 1760 wrote to memory of 2980 1760 cmd.exe 82 PID 1760 wrote to memory of 2980 1760 cmd.exe 82 PID 4948 wrote to memory of 3964 4948 cmd.exe 83 PID 4948 wrote to memory of 3964 4948 cmd.exe 83 PID 4948 wrote to memory of 3964 4948 cmd.exe 83 PID 4948 wrote to memory of 628 4948 cmd.exe 84 PID 4948 wrote to memory of 628 4948 cmd.exe 84 PID 4948 wrote to memory of 628 4948 cmd.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe"C:\Users\Admin\AppData\Local\Temp\0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"'3⤵
- Creates scheduled task(s)
PID:2980
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp67D2.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:3964
-
-
C:\Users\Admin\AppData\Roaming\appBroker.exe"C:\Users\Admin\AppData\Roaming\appBroker.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:628
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD50cd863a34e7a2a1443e8dab79de29b0b
SHA1c59c85402b37246242d04976eda46a9735593dbb
SHA25683233dafbd6589c82a3fc34e8e8f488cd11ec8b2e90e38c1891c5f625ab918bd
SHA512dcf60cb28f30a1b67ff64f56eca8b42ca8d623779ce8417b30de56bc06289fd1f1c3687af65d82957fb05d57fa98ce8ad920917e137bfa02414d10a3745cf85b
-
Filesize
48KB
MD57fd8581748cdf137023ef96f1286ce0f
SHA1c640bcbbebbe62c2a58235d1e6f9ec7eeb99387a
SHA2560b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6
SHA512bd4c7c3f646e4685fc750f69ca5b9af6d542ee4d22db1b9ae3b379b659d415e3f9895bde81f40448f927662ede5cd87fe0f85234134b519c9aa7900f1b811282