Analysis
-
max time kernel
135s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-04-2024 06:58
Static task
static1
Behavioral task
behavioral1
Sample
12de70d06ed65680914d061347ac1f95.exe
Resource
win7-20240221-en
General
-
Target
12de70d06ed65680914d061347ac1f95.exe
-
Size
89KB
-
MD5
12de70d06ed65680914d061347ac1f95
-
SHA1
14023e1ed46236cbfb463ddccd6345caa3c14d54
-
SHA256
46b90cce656efe63bc33b585581c2cafd25778f2854a334f0421d219ed17b339
-
SHA512
7d6a20b0e9d6c5db0177e08f197f7858aa8000097c5eb2fa7a2b3d2181fefb53760efacd7fcba32d481193eee547162ac22b08b8e8777b68fc1597dec12db67f
-
SSDEEP
1536:EGjb5BKhaUxo6TRMinLvIbzV6A2SYzEOV4c7rei1:EGjb5IJxZTLnL4aSY4OVDui
Malware Config
Extracted
asyncrat
1.0.7
Default
103.249.112.118:8848
DcRatMutex_qwqdanchun
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Downloads MZ/PE file
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2236 set thread context of 2464 2236 12de70d06ed65680914d061347ac1f95.exe 30 -
Executes dropped EXE 2 IoCs
pid Process 1036 Accounts_Ledger_Software.eXE 2084 Accounts_Ledger_Software.eXE -
Loads dropped DLL 1 IoCs
pid Process 1724 taskeng.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2188 SCHtAsKs.EXe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2236 12de70d06ed65680914d061347ac1f95.exe 2236 12de70d06ed65680914d061347ac1f95.exe 1036 Accounts_Ledger_Software.eXE 1036 Accounts_Ledger_Software.eXE 2084 Accounts_Ledger_Software.eXE 2084 Accounts_Ledger_Software.eXE -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2236 12de70d06ed65680914d061347ac1f95.exe Token: SeDebugPrivilege 2464 aspnet_compiler.exe Token: SeDebugPrivilege 1036 Accounts_Ledger_Software.eXE Token: SeDebugPrivilege 2084 Accounts_Ledger_Software.eXE -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2236 wrote to memory of 2188 2236 12de70d06ed65680914d061347ac1f95.exe 28 PID 2236 wrote to memory of 2188 2236 12de70d06ed65680914d061347ac1f95.exe 28 PID 2236 wrote to memory of 2188 2236 12de70d06ed65680914d061347ac1f95.exe 28 PID 2236 wrote to memory of 2464 2236 12de70d06ed65680914d061347ac1f95.exe 30 PID 2236 wrote to memory of 2464 2236 12de70d06ed65680914d061347ac1f95.exe 30 PID 2236 wrote to memory of 2464 2236 12de70d06ed65680914d061347ac1f95.exe 30 PID 2236 wrote to memory of 2464 2236 12de70d06ed65680914d061347ac1f95.exe 30 PID 2236 wrote to memory of 2464 2236 12de70d06ed65680914d061347ac1f95.exe 30 PID 2236 wrote to memory of 2464 2236 12de70d06ed65680914d061347ac1f95.exe 30 PID 2236 wrote to memory of 2464 2236 12de70d06ed65680914d061347ac1f95.exe 30 PID 2236 wrote to memory of 2464 2236 12de70d06ed65680914d061347ac1f95.exe 30 PID 2236 wrote to memory of 2464 2236 12de70d06ed65680914d061347ac1f95.exe 30 PID 1724 wrote to memory of 1036 1724 taskeng.exe 35 PID 1724 wrote to memory of 1036 1724 taskeng.exe 35 PID 1724 wrote to memory of 1036 1724 taskeng.exe 35 PID 1724 wrote to memory of 2084 1724 taskeng.exe 36 PID 1724 wrote to memory of 2084 1724 taskeng.exe 36 PID 1724 wrote to memory of 2084 1724 taskeng.exe 36 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\12de70d06ed65680914d061347ac1f95.exe"C:\Users\Admin\AppData\Local\Temp\12de70d06ed65680914d061347ac1f95.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\system32\SCHtAsKs.EXe"SCHtAsKs.EXe" /create /tn WindowsUpdates /TR 'C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE' /du 9999:59 /sc daily /ri 12⤵
- Creates scheduled task(s)
PID:2188
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {FE7E3FB8-D6DF-4CB2-A01D-4F8560B774A3} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXEC:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1036
-
-
C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXEC:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
89KB
MD512de70d06ed65680914d061347ac1f95
SHA114023e1ed46236cbfb463ddccd6345caa3c14d54
SHA25646b90cce656efe63bc33b585581c2cafd25778f2854a334f0421d219ed17b339
SHA5127d6a20b0e9d6c5db0177e08f197f7858aa8000097c5eb2fa7a2b3d2181fefb53760efacd7fcba32d481193eee547162ac22b08b8e8777b68fc1597dec12db67f