Analysis
-
max time kernel
132s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
30-05-2024 18:57
General
-
Target
Cranium.exe
-
Size
48KB
-
MD5
0acff5a467301fe851017b11e1263334
-
SHA1
67282d4682edbb78cc3eded3d3621d20060e5517
-
SHA256
9864678182d8d06ed1bebd8aad901cab4f77cfced7547f5e365e8c1854ef2cdf
-
SHA512
ec18c72cf4184781fe3deffa64c6dbd48f75ba9d185f6fa689469e1aded7aa7e5705c0f7abb5173f9ace1db039fbd0dda6f4d07014cac179f59132925df6f70f
-
SSDEEP
768:6uYp9T3kH1jWUvTqRmo2qb2v8eIfEePIL1/Yr90bzZR51guD6NpHqS/9OuBDZ0C:6uYp9T34y2PZuEnp/9bzZR7guD8R/91L
Malware Config
Extracted
asyncrat
0.5.8
Default
HVo4diHzRR9N
-
delay
3
-
install
true
-
install_file
Cranium.exe
-
install_folder
%Temp%
-
pastebin_config
https://pastebin.com/raw/d3N8c1P9
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Cranium.exe"C:\Users\Admin\AppData\Local\Temp\Cranium.exe"1⤵
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Cranium"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /f /tn "Cranium"3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8095.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
159B
MD549d1d4e4f39cfd539d4a88c49c22cdef
SHA119fc4eac6ed8282e76bdf86e82473ad6320e742a
SHA256b8ffcda21b360422bd0fb94f762ab2456b4eee1113105203dc73e1bbbf46fd0e
SHA512d1aa04695140d93c5574c8cd997b2d58d8ed98b150d8bc620c8b743090582e2d7d1eb36360b3ba3e3b86b4d89e50137d1d7c11892cc8b85b8c265629e48d0f48
-
Filesize
624KB
-
Filesize
408KB
-
Filesize
256KB
-
Filesize
624KB
-
Filesize
5.6MB
-
Filesize
472KB
-
Filesize
416KB
-
Filesize
120KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
392KB
-
Filesize
40KB
-
Filesize
400KB
-
Filesize
400KB
-
Filesize
400KB
-
Filesize
7.7MB
-
Filesize
32KB