Analysis
-
max time kernel
155s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19/04/2024, 18:04
Behavioral task
behavioral1
Sample
87e382fef7c2e0010af6532600c22578d26d041a78a1c3ec16dbf0d5eb39f347.exe
Resource
win7-20240221-en
General
-
Target
87e382fef7c2e0010af6532600c22578d26d041a78a1c3ec16dbf0d5eb39f347.exe
-
Size
69KB
-
MD5
1bcc48211ca31660a585b931eb987f93
-
SHA1
6633d480598a27f756a8ce706e4392b294ccc8ec
-
SHA256
87e382fef7c2e0010af6532600c22578d26d041a78a1c3ec16dbf0d5eb39f347
-
SHA512
7704148f1e83bf97e8a6ff7f36b7fc56dee6a2175be55f1c8c9a2629a66d4d19635bfa03a7f4c92b7cbf4fbd27b014a2a2fa58dcc734fd560dab0a9977b3cf86
-
SSDEEP
1536:Ju4n9Tswb2ksLtF3buXSumtVoGB7dTxYIbdS6w:Ju49Tswb2VLtF3bugbhJxYIbML
Malware Config
Extracted
asyncrat
0.5.8
Default
94.156.68.217:3162
sz1D8OiE4OiM
-
delay
3
-
install
true
-
install_file
MicrosoftCompabilityTelemtry.exe
-
install_folder
%AppData%
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchosts.exe -
Async RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x000800000002323e-6.dat family_asyncrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 87e382fef7c2e0010af6532600c22578d26d041a78a1c3ec16dbf0d5eb39f347.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation MicrosoftCompabilityTelemtry.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation svchosts.exe -
Executes dropped EXE 3 IoCs
pid Process 4288 MicrosoftCompabilityTelemtry.exe 1952 svchosts.exe 3912 MicrosoftCompabilityTelemtry.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchosts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchosts.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 43 discord.com 42 discord.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3016 schtasks.exe 2056 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 432 timeout.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 4288 MicrosoftCompabilityTelemtry.exe 4288 MicrosoftCompabilityTelemtry.exe 4288 MicrosoftCompabilityTelemtry.exe 4288 MicrosoftCompabilityTelemtry.exe 4288 MicrosoftCompabilityTelemtry.exe 4288 MicrosoftCompabilityTelemtry.exe 4288 MicrosoftCompabilityTelemtry.exe 4288 MicrosoftCompabilityTelemtry.exe 4288 MicrosoftCompabilityTelemtry.exe 4288 MicrosoftCompabilityTelemtry.exe 4288 MicrosoftCompabilityTelemtry.exe 4288 MicrosoftCompabilityTelemtry.exe 4288 MicrosoftCompabilityTelemtry.exe 4288 MicrosoftCompabilityTelemtry.exe 4288 MicrosoftCompabilityTelemtry.exe 4288 MicrosoftCompabilityTelemtry.exe 4288 MicrosoftCompabilityTelemtry.exe 4288 MicrosoftCompabilityTelemtry.exe 4288 MicrosoftCompabilityTelemtry.exe 4288 MicrosoftCompabilityTelemtry.exe 4288 MicrosoftCompabilityTelemtry.exe 4028 powershell.exe 4028 powershell.exe 4028 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1952 svchosts.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4288 MicrosoftCompabilityTelemtry.exe Token: SeDebugPrivilege 1952 svchosts.exe Token: SeDebugPrivilege 3912 MicrosoftCompabilityTelemtry.exe Token: SeDebugPrivilege 4028 powershell.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 2992 wrote to memory of 4288 2992 87e382fef7c2e0010af6532600c22578d26d041a78a1c3ec16dbf0d5eb39f347.exe 90 PID 2992 wrote to memory of 4288 2992 87e382fef7c2e0010af6532600c22578d26d041a78a1c3ec16dbf0d5eb39f347.exe 90 PID 2992 wrote to memory of 4288 2992 87e382fef7c2e0010af6532600c22578d26d041a78a1c3ec16dbf0d5eb39f347.exe 90 PID 2992 wrote to memory of 1952 2992 87e382fef7c2e0010af6532600c22578d26d041a78a1c3ec16dbf0d5eb39f347.exe 91 PID 2992 wrote to memory of 1952 2992 87e382fef7c2e0010af6532600c22578d26d041a78a1c3ec16dbf0d5eb39f347.exe 91 PID 2992 wrote to memory of 1952 2992 87e382fef7c2e0010af6532600c22578d26d041a78a1c3ec16dbf0d5eb39f347.exe 91 PID 4288 wrote to memory of 4336 4288 MicrosoftCompabilityTelemtry.exe 102 PID 4288 wrote to memory of 4336 4288 MicrosoftCompabilityTelemtry.exe 102 PID 4288 wrote to memory of 4336 4288 MicrosoftCompabilityTelemtry.exe 102 PID 1952 wrote to memory of 3440 1952 svchosts.exe 103 PID 1952 wrote to memory of 3440 1952 svchosts.exe 103 PID 1952 wrote to memory of 3440 1952 svchosts.exe 103 PID 1952 wrote to memory of 844 1952 svchosts.exe 106 PID 1952 wrote to memory of 844 1952 svchosts.exe 106 PID 1952 wrote to memory of 844 1952 svchosts.exe 106 PID 4288 wrote to memory of 2364 4288 MicrosoftCompabilityTelemtry.exe 108 PID 4288 wrote to memory of 2364 4288 MicrosoftCompabilityTelemtry.exe 108 PID 4288 wrote to memory of 2364 4288 MicrosoftCompabilityTelemtry.exe 108 PID 3440 wrote to memory of 4028 3440 cmd.exe 110 PID 3440 wrote to memory of 4028 3440 cmd.exe 110 PID 3440 wrote to memory of 4028 3440 cmd.exe 110 PID 2364 wrote to memory of 432 2364 cmd.exe 111 PID 2364 wrote to memory of 432 2364 cmd.exe 111 PID 2364 wrote to memory of 432 2364 cmd.exe 111 PID 844 wrote to memory of 3016 844 cmd.exe 112 PID 844 wrote to memory of 3016 844 cmd.exe 112 PID 844 wrote to memory of 3016 844 cmd.exe 112 PID 4336 wrote to memory of 2056 4336 cmd.exe 113 PID 4336 wrote to memory of 2056 4336 cmd.exe 113 PID 4336 wrote to memory of 2056 4336 cmd.exe 113 PID 2364 wrote to memory of 3912 2364 cmd.exe 114 PID 2364 wrote to memory of 3912 2364 cmd.exe 114 PID 2364 wrote to memory of 3912 2364 cmd.exe 114 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchosts.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\87e382fef7c2e0010af6532600c22578d26d041a78a1c3ec16dbf0d5eb39f347.exe"C:\Users\Admin\AppData\Local\Temp\87e382fef7c2e0010af6532600c22578d26d041a78a1c3ec16dbf0d5eb39f347.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Users\Admin\AppData\Local\Temp\MicrosoftCompabilityTelemtry.exe"C:\Users\Admin\AppData\Local\Temp\MicrosoftCompabilityTelemtry.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "MicrosoftCompabilityTelemtry" /tr '"C:\Users\Admin\AppData\Roaming\MicrosoftCompabilityTelemtry.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "MicrosoftCompabilityTelemtry" /tr '"C:\Users\Admin\AppData\Roaming\MicrosoftCompabilityTelemtry.exe"'4⤵
- Creates scheduled task(s)
PID:2056
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA454.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:432
-
-
C:\Users\Admin\AppData\Roaming\MicrosoftCompabilityTelemtry.exe"C:\Users\Admin\AppData\Roaming\MicrosoftCompabilityTelemtry.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3912
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchosts.exe"C:\Users\Admin\AppData\Local\Temp\svchosts.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1952 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\,C:\Users\Admin\AppData\Roaming3⤵
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\,C:\Users\Admin\AppData\Roaming4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4028
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /create /tn svchosts /tr C:\Users\Admin\AppData\Roaming\svchosts.exe /sc onlogon3⤵
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn svchosts /tr C:\Users\Admin\AppData\Roaming\svchosts.exe /sc onlogon4⤵
- Creates scheduled task(s)
PID:3016
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:81⤵PID:2200
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
522B
MD5acc9090417037dfa2a55b46ed86e32b8
SHA153fa6fb25fb3e88c24d2027aca6ae492b2800a4d
SHA2562412679218bb0a7d05ceee32869bbb223619bde9966c4c460a68304a3367724b
SHA512d51f7085ec147c708f446b9fb6923cd2fb64596d354ed929e125b30ace57c8cb3217589447a36960e5d3aea87a4e48aaa82c7509eced6d6c2cecd71fcfe3697b
-
Filesize
45KB
MD5fee8e7725f89e5b99e165996d89e0d29
SHA1827fe03932f7c557703f62b4eec683eb1a14b9c2
SHA256b56464ef35b43d5e04a3fe655c2e80567fa67acb396221357b852e04952d0809
SHA51211adb2c2320c21848ecca24cc542a17fc7bf80e74ef54b4f7e1ec088af5614ad04db64ab3ae1b9a8bf7106aaa6355a8ef686b4839a5756405b76425edcf6685e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
12KB
MD50ade14069ec4dafe0f02c419da0f9ddd
SHA101fce38588ec0cbb6d17be718ba5867551180e32
SHA2567df0b72ac5875dc5025d2f1e8d1eaa2cac1a4c58f2289603c852d2f9e191c948
SHA51243e448d4bf3e25d6b154bf98da25dc183404ff35515029570f4554fa048d14ef208c4a8c7ac1024718abbb96c73c3e94ca8c5bcf8f8e8852c152b8c13959c92e
-
Filesize
172B
MD5518409fe904cd51efdc80b5cd5f53252
SHA1af6653d252621349c87346ee54f4d58693fb07bb
SHA256b3d15d611493c88fb6c59dd5e77d7dfde530b338304b1769642face1a20b7cf5
SHA5120f2663a9489bb83f8ce98715d946554e646f410be36007103fc1753e09678fbc84c8c93eb10bad13c716e3b1a4c463f51464351e209d2dd14bf8434aad8cd0df