Malware Analysis Report

2024-09-22 07:18

Sample ID 240531-t1cymseg43
Target B099F31FF999B0AAC37E9DE2E3160CE6.exe
SHA256 0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d
Tags
asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d

Threat Level: Known bad

The file B099F31FF999B0AAC37E9DE2E3160CE6.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat

AsyncRat

Asyncrat family

Async RAT payload

Async RAT payload

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Delays execution with timeout.exe

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-31 16:31

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 16:31

Reported

2024-05-31 16:33

Platform

win7-20240508-en

Max time kernel

118s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\notepad.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\notepad.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3068 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 2272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2460 wrote to memory of 2272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2460 wrote to memory of 2272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2460 wrote to memory of 2272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2712 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2712 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2712 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2712 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2712 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\notepad.exe
PID 2712 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\notepad.exe
PID 2712 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\notepad.exe
PID 2712 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\notepad.exe

Processes

C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe

"C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "notepad" /tr '"C:\Users\Admin\AppData\Roaming\notepad.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp34A7.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "notepad" /tr '"C:\Users\Admin\AppData\Roaming\notepad.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\notepad.exe

"C:\Users\Admin\AppData\Roaming\notepad.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:7707 tcp
US 8.8.8.8:53 drasticqq.zapto.org udp
NL 91.92.243.101:8808 drasticqq.zapto.org tcp

Files

memory/3068-0-0x000000007441E000-0x000000007441F000-memory.dmp

memory/3068-1-0x00000000003C0000-0x00000000003D2000-memory.dmp

memory/3068-2-0x0000000074410000-0x0000000074AFE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp34A7.tmp.bat

MD5 065425a51dd4df8095a8d2171df2262b
SHA1 f500daa49cb006d5bb3cef3bfc55e2758b2a897a
SHA256 470c2549f39b94dee3e56f26594855e14ffe90046a79a306570712403178fc05
SHA512 7e6a11f84232d38a4402f798329799deb31769df8be2832f1a868723a2d8bd91504b3f8657482372ba47a5ac3c64d5ef0dafad04f0bb3a9601ad9b1e65995c68

memory/3068-12-0x0000000074410000-0x0000000074AFE000-memory.dmp

\Users\Admin\AppData\Roaming\notepad.exe

MD5 b099f31ff999b0aac37e9de2e3160ce6
SHA1 03e35f01dbb3286c943e69771cd630757cd16bdf
SHA256 0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d
SHA512 833b9200854811d35a243938dd9f47bb53be3559716438afd91fb8eabf282c6a23d49b4a4e3391e9bccd339048a65d75ec18ba4e8b922caf46d70d83b8a98079

memory/2904-16-0x00000000001B0000-0x00000000001C2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 16:31

Reported

2024-05-31 16:33

Platform

win10v2004-20240226-en

Max time kernel

137s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\notepad.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\notepad.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4768 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe C:\Windows\SysWOW64\cmd.exe
PID 4768 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe C:\Windows\SysWOW64\cmd.exe
PID 4768 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe C:\Windows\SysWOW64\cmd.exe
PID 4768 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe C:\Windows\SysWOW64\cmd.exe
PID 4768 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe C:\Windows\SysWOW64\cmd.exe
PID 4768 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe C:\Windows\SysWOW64\cmd.exe
PID 560 wrote to memory of 3172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 560 wrote to memory of 3172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 560 wrote to memory of 3172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4956 wrote to memory of 2348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4956 wrote to memory of 2348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4956 wrote to memory of 2348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 560 wrote to memory of 3684 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\notepad.exe
PID 560 wrote to memory of 3684 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\notepad.exe
PID 560 wrote to memory of 3684 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\notepad.exe

Processes

C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe

"C:\Users\Admin\AppData\Local\Temp\B099F31FF999B0AAC37E9DE2E3160CE6.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "notepad" /tr '"C:\Users\Admin\AppData\Roaming\notepad.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2DC2.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "notepad" /tr '"C:\Users\Admin\AppData\Roaming\notepad.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\notepad.exe

"C:\Users\Admin\AppData\Roaming\notepad.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3772 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
N/A 127.0.0.1:7707 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 drasticqq.zapto.org udp
NL 91.92.243.101:8808 drasticqq.zapto.org tcp
US 8.8.8.8:53 101.243.92.91.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp

Files

memory/4768-0-0x0000000074FAE000-0x0000000074FAF000-memory.dmp

memory/4768-1-0x0000000000680000-0x0000000000692000-memory.dmp

memory/4768-2-0x0000000074FA0000-0x0000000075750000-memory.dmp

memory/4768-3-0x00000000053C0000-0x000000000545C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2DC2.tmp.bat

MD5 50eacea63717977be4ea6afc5d73077c
SHA1 636d02ca1c3d4b189d5b8cb2f51e454671e91911
SHA256 ecca067eecd3231a7a771a56a4be3b5ced0736c7dd646dcdab594167ed12e875
SHA512 4954f7d3443794b3ebe6a80876f4e619aa8f84921a0ff3ef709f633c97c9f6358a1654231e97dca1944d8b7d3be9073b0f24f2304646985d51ce7cdb304c5c8b

memory/4768-9-0x0000000074FA0000-0x0000000075750000-memory.dmp

C:\Users\Admin\AppData\Roaming\notepad.exe

MD5 b099f31ff999b0aac37e9de2e3160ce6
SHA1 03e35f01dbb3286c943e69771cd630757cd16bdf
SHA256 0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d
SHA512 833b9200854811d35a243938dd9f47bb53be3559716438afd91fb8eabf282c6a23d49b4a4e3391e9bccd339048a65d75ec18ba4e8b922caf46d70d83b8a98079

memory/3684-13-0x0000000074F00000-0x00000000756B0000-memory.dmp

memory/3684-16-0x0000000005AC0000-0x0000000006064000-memory.dmp

memory/3684-17-0x0000000005140000-0x00000000051A6000-memory.dmp

memory/3684-18-0x0000000074F00000-0x00000000756B0000-memory.dmp