Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
24-05-2024 11:59
Behavioral task
behavioral1
Sample
Optimix_client.exe
Resource
win7-20240508-en
General
-
Target
Optimix_client.exe
-
Size
45KB
-
MD5
bc9efb1b76331a392346d4cce9c3b177
-
SHA1
ecd6d5584ab75f5735a69864ecf74dddde8683a1
-
SHA256
d948a6af0e9a1e9981669d300da54d84e526fc55e9654b8de1ba58821e14b96b
-
SHA512
4969259be841c308d791c16d0645e8f72db3f8708975bd9682ae630cca4c8f27b778d48387b5f17f1a1d82f3b8392cfbe95f8d5cd860ad25543f0d520e6b3f19
-
SSDEEP
768:luAINTHkvSbWUnFKJmo2q7XIrzXIxOPILzjbjXgXAiHFeq1BDZPx:luAINTHgN2Lv83L3bEX9leqbdPx
Malware Config
Extracted
asyncrat
0.5.8
Default
192.168.0.76:6606
192.168.0.76:7707
192.168.0.76:8808
192.168.0.76:4444
YNGv5uoT0xzv
-
delay
3
-
install
true
-
install_file
ProtonyteAntiVirusSetup.exe
-
install_folder
%Temp%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\ProtonyteAntiVirusSetup.exe family_asyncrat -
Executes dropped EXE 1 IoCs
Processes:
ProtonyteAntiVirusSetup.exepid process 3780 ProtonyteAntiVirusSetup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2748 timeout.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
Optimix_client.exepid process 4768 Optimix_client.exe 4768 Optimix_client.exe 4768 Optimix_client.exe 4768 Optimix_client.exe 4768 Optimix_client.exe 4768 Optimix_client.exe 4768 Optimix_client.exe 4768 Optimix_client.exe 4768 Optimix_client.exe 4768 Optimix_client.exe 4768 Optimix_client.exe 4768 Optimix_client.exe 4768 Optimix_client.exe 4768 Optimix_client.exe 4768 Optimix_client.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Optimix_client.exeProtonyteAntiVirusSetup.exedescription pid process Token: SeDebugPrivilege 4768 Optimix_client.exe Token: SeDebugPrivilege 3780 ProtonyteAntiVirusSetup.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Optimix_client.execmd.execmd.exedescription pid process target process PID 4768 wrote to memory of 224 4768 Optimix_client.exe cmd.exe PID 4768 wrote to memory of 224 4768 Optimix_client.exe cmd.exe PID 4768 wrote to memory of 224 4768 Optimix_client.exe cmd.exe PID 4768 wrote to memory of 2196 4768 Optimix_client.exe cmd.exe PID 4768 wrote to memory of 2196 4768 Optimix_client.exe cmd.exe PID 4768 wrote to memory of 2196 4768 Optimix_client.exe cmd.exe PID 2196 wrote to memory of 2748 2196 cmd.exe timeout.exe PID 2196 wrote to memory of 2748 2196 cmd.exe timeout.exe PID 2196 wrote to memory of 2748 2196 cmd.exe timeout.exe PID 224 wrote to memory of 1888 224 cmd.exe schtasks.exe PID 224 wrote to memory of 1888 224 cmd.exe schtasks.exe PID 224 wrote to memory of 1888 224 cmd.exe schtasks.exe PID 2196 wrote to memory of 3780 2196 cmd.exe ProtonyteAntiVirusSetup.exe PID 2196 wrote to memory of 3780 2196 cmd.exe ProtonyteAntiVirusSetup.exe PID 2196 wrote to memory of 3780 2196 cmd.exe ProtonyteAntiVirusSetup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Optimix_client.exe"C:\Users\Admin\AppData\Local\Temp\Optimix_client.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ProtonyteAntiVirusSetup" /tr '"C:\Users\Admin\AppData\Local\Temp\ProtonyteAntiVirusSetup.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "ProtonyteAntiVirusSetup" /tr '"C:\Users\Admin\AppData\Local\Temp\ProtonyteAntiVirusSetup.exe"'3⤵
- Creates scheduled task(s)
PID:1888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp81F1.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2748 -
C:\Users\Admin\AppData\Local\Temp\ProtonyteAntiVirusSetup.exe"C:\Users\Admin\AppData\Local\Temp\ProtonyteAntiVirusSetup.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3780
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ProtonyteAntiVirusSetup.exeFilesize
45KB
MD5bc9efb1b76331a392346d4cce9c3b177
SHA1ecd6d5584ab75f5735a69864ecf74dddde8683a1
SHA256d948a6af0e9a1e9981669d300da54d84e526fc55e9654b8de1ba58821e14b96b
SHA5124969259be841c308d791c16d0645e8f72db3f8708975bd9682ae630cca4c8f27b778d48387b5f17f1a1d82f3b8392cfbe95f8d5cd860ad25543f0d520e6b3f19
-
C:\Users\Admin\AppData\Local\Temp\tmp81F1.tmp.batFilesize
170B
MD55f88a0a6e70f543068b57a07efca411a
SHA16db14e04097083679a9922f9e69f0e2eebc61e4d
SHA2565e0fa3fc3a3ea0e13e58eaf58ff24eb95ab83b517e0b7415acc065fa544c511b
SHA5122cb7d77e3ad6f82c22413a24032aa609faed05df6b44254999a683bbb52390e8e666702699d2967e9921a52f942634de1a08fd9e6fffca40eefbbea9ab0c8f68
-
memory/4768-0-0x000000007324E000-0x000000007324F000-memory.dmpFilesize
4KB
-
memory/4768-1-0x00000000007B0000-0x00000000007C2000-memory.dmpFilesize
72KB
-
memory/4768-2-0x0000000073240000-0x000000007392E000-memory.dmpFilesize
6.9MB
-
memory/4768-3-0x0000000005000000-0x000000000509C000-memory.dmpFilesize
624KB
-
memory/4768-8-0x0000000073240000-0x000000007392E000-memory.dmpFilesize
6.9MB