Malware Analysis Report

2024-09-22 07:18

Sample ID 240530-xkdf1shd97
Target Cranium.exe
SHA256 9864678182d8d06ed1bebd8aad901cab4f77cfced7547f5e365e8c1854ef2cdf
Tags
rat default asyncrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9864678182d8d06ed1bebd8aad901cab4f77cfced7547f5e365e8c1854ef2cdf

Threat Level: Known bad

The file Cranium.exe was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat

Async RAT payload

AsyncRat

Asyncrat family

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-30 18:54

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 18:54

Reported

2024-05-30 19:30

Platform

win11-20240426-en

Max time kernel

550s

Max time network

1173s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Cranium.exe"

Signatures

AsyncRat

rat asyncrat

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A 5.tcp.eu.ngrok.io N/A N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cranium.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cranium.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Cranium.exe

"C:\Users\Admin\AppData\Local\Temp\Cranium.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Cranium"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAC75.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\schtasks.exe

schtasks /delete /f /tn "Cranium"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 5.tcp.eu.ngrok.io udp
DE 3.67.161.133:17731 5.tcp.eu.ngrok.io tcp
DE 3.67.161.133:17731 5.tcp.eu.ngrok.io tcp
DE 3.67.161.133:17731 5.tcp.eu.ngrok.io tcp
DE 3.67.161.133:17731 5.tcp.eu.ngrok.io tcp

Files

memory/2616-0-0x000000007469E000-0x000000007469F000-memory.dmp

memory/2616-1-0x00000000000C0000-0x00000000000D2000-memory.dmp

memory/2616-2-0x0000000074690000-0x0000000074E41000-memory.dmp

memory/2616-3-0x0000000004B60000-0x0000000004BC6000-memory.dmp

memory/2616-4-0x0000000004FB0000-0x000000000504C000-memory.dmp

memory/2616-7-0x00000000060A0000-0x0000000006646000-memory.dmp

memory/2616-8-0x000000007469E000-0x000000007469F000-memory.dmp

memory/2616-9-0x0000000074690000-0x0000000074E41000-memory.dmp

memory/2616-10-0x0000000005C70000-0x0000000005CE6000-memory.dmp

memory/2616-11-0x0000000005C00000-0x0000000005C68000-memory.dmp

memory/2616-12-0x0000000005DF0000-0x0000000005E0E000-memory.dmp

memory/2616-13-0x0000000005F30000-0x0000000005FC2000-memory.dmp

memory/2616-14-0x0000000004E70000-0x0000000004ED4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAC75.tmp.bat

MD5 aa079fb13e8a44098f225862fdc17996
SHA1 3fba0e961fa6ae61c1aa3f188252ec3a0eacbd5a
SHA256 2c174781add13197d6cdad931444cab7cafafa6d810726c2538cbc9b3e425558
SHA512 7ea8ef936955a3b41de54249e32f4cd07b8dd48a55518dab9776d6d39bf78e707291ddc4b35d24b7566514b303509e6c2389cd5ba00f50a372b3cd4c76203097

memory/2616-19-0x0000000074690000-0x0000000074E41000-memory.dmp