Analysis
-
max time kernel
139s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
27-05-2024 15:21
Behavioral task
behavioral1
Sample
ohpndsemtf.exe
Resource
win7-20240419-en
General
-
Target
ohpndsemtf.exe
-
Size
47KB
-
MD5
7a51aa3884526620751838e6c9714f25
-
SHA1
9f0210f25aaa9d2598a02132cf8faa5541d6ff3a
-
SHA256
15c37fc34c843c04dd97fdb40a9c767c0964a02ee7c0d9b22fd67a85fcf39a8a
-
SHA512
7460684b61e37eb842463abd8203eecfbb635767168be8d6bc79a6da5282dcee8ed9034adaecd315419117eb9f7851b20e14a9221e5b0c38dcb85127f5aa14d7
-
SSDEEP
768:5CT3ILNCKi+Di5hFxhLR5qiH6Ybrge8ZIar7XvEgK/JTZVc6KN:5CYm5jxXDpbUVeY7XnkJTZVclN
Malware Config
Extracted
asyncrat
1.0.7
MAYO27
flugrekorder.duckdns.org:7786
"$%#&63T%y/34rdy@
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1644 timeout.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ohpndsemtf.exedescription pid process Token: SeDebugPrivilege 2456 ohpndsemtf.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
ohpndsemtf.exedescription pid process target process PID 2456 wrote to memory of 1276 2456 ohpndsemtf.exe cmd.exe PID 2456 wrote to memory of 1276 2456 ohpndsemtf.exe cmd.exe PID 2456 wrote to memory of 1276 2456 ohpndsemtf.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ohpndsemtf.exe"C:\Users\Admin\AppData\Local\Temp\ohpndsemtf.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp19D4.tmp.bat""2⤵PID:1276
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:1644
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
162B
MD58d14c69ac0ff875e34717e20ed8d462c
SHA175a0bd350a0ec00b1532e4384999ff43190c8bd7
SHA256a5385f2394724a39abb5ebcf5cf1fe1b402c17af664ec7ad8a142a55efd832d2
SHA5124271255b9ccc93b19eefaa8411c5b17c6c46233bd72ca7f616b0343c184102fda0b26981e50c59fe264e0513f43f29f2524cd5ea5582d2c3ad1748ac35b9a157