Analysis
-
max time kernel
119s -
max time network
182s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 15:23
Static task
static1
Behavioral task
behavioral1
Sample
dd256157a85a12405cbdf789af1b2442.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
dd256157a85a12405cbdf789af1b2442.exe
Resource
win10v2004-20240508-en
General
-
Target
dd256157a85a12405cbdf789af1b2442.exe
-
Size
1.8MB
-
MD5
dd256157a85a12405cbdf789af1b2442
-
SHA1
215b9612eec327982a956ada1c5c9ca0cb934b0b
-
SHA256
37157625bef24977ce0cf11e74b3d5c8412a0638b541e51cc0944b5127b2469d
-
SHA512
4e6b8dcc6cf00c85d3a68a412555e370a5d63ee480594e7a7ee6f8289e2873ea4b2860d6e5a7e3bd77ea1c079132ecbf9010bb6e47683c6c49ac640357fee2f3
-
SSDEEP
49152:P1opHluallLeIfGpD+ePfGaBbVoJLshVGbdMeaLaf:N2HluaDp7WmeJaf
Malware Config
Extracted
asyncrat
1.0.7
ORO-BENDITOS 2
krakenstudio061Q.casacam.net:8002
DcRatMutex_qwqdanchun
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
dd256157a85a12405cbdf789af1b2442.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SmokerLtd = "C:\\Users\\Admin\\Documents\\Umunu\\uOperna.exe" dd256157a85a12405cbdf789af1b2442.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
dd256157a85a12405cbdf789af1b2442.exedescription pid process target process PID 1928 set thread context of 2660 1928 dd256157a85a12405cbdf789af1b2442.exe csc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
csc.exedescription pid process Token: SeDebugPrivilege 2660 csc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
dd256157a85a12405cbdf789af1b2442.exedescription pid process target process PID 1928 wrote to memory of 2660 1928 dd256157a85a12405cbdf789af1b2442.exe csc.exe PID 1928 wrote to memory of 2660 1928 dd256157a85a12405cbdf789af1b2442.exe csc.exe PID 1928 wrote to memory of 2660 1928 dd256157a85a12405cbdf789af1b2442.exe csc.exe PID 1928 wrote to memory of 2660 1928 dd256157a85a12405cbdf789af1b2442.exe csc.exe PID 1928 wrote to memory of 2660 1928 dd256157a85a12405cbdf789af1b2442.exe csc.exe PID 1928 wrote to memory of 2660 1928 dd256157a85a12405cbdf789af1b2442.exe csc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd256157a85a12405cbdf789af1b2442.exe"C:\Users\Admin\AppData\Local\Temp\dd256157a85a12405cbdf789af1b2442.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2660