Malware Analysis Report

2024-09-22 07:44

Sample ID 240601-bec3eaca9x
Target 0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe
SHA256 0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d
Tags
rat default asyncrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d

Threat Level: Known bad

The file 0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat

Detects file containing reversed ASEP Autorun registry keys

Async RAT payload

Asyncrat family

AsyncRat

Detects file containing reversed ASEP Autorun registry keys

Async RAT payload

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-01 01:03

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Detects file containing reversed ASEP Autorun registry keys

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 01:03

Reported

2024-06-01 01:05

Platform

win7-20240508-en

Max time kernel

131s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Detects file containing reversed ASEP Autorun registry keys

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\notepad.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\notepad.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1632 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2688 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2688 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2688 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3028 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3028 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3028 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3028 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2688 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\notepad.exe
PID 2688 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\notepad.exe
PID 2688 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\notepad.exe
PID 2688 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\notepad.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe

"C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "notepad" /tr '"C:\Users\Admin\AppData\Roaming\notepad.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1EF6.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "notepad" /tr '"C:\Users\Admin\AppData\Roaming\notepad.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\notepad.exe

"C:\Users\Admin\AppData\Roaming\notepad.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
US 8.8.8.8:53 drasticqq.zapto.org udp
CA 198.44.140.183:1081 drasticqq.zapto.org tcp
N/A 127.0.0.1:7707 tcp
CA 198.44.140.183:8808 drasticqq.zapto.org tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 drasticqq.zapto.org udp
CA 198.44.140.183:1081 drasticqq.zapto.org tcp
N/A 127.0.0.1:6606 tcp
CA 198.44.140.183:1081 drasticqq.zapto.org tcp

Files

memory/1632-0-0x000000007495E000-0x000000007495F000-memory.dmp

memory/1632-1-0x00000000012A0000-0x00000000012B2000-memory.dmp

memory/1632-2-0x0000000074950000-0x000000007503E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1EF6.tmp.bat

MD5 c94b2dd99bdaf5f8ed6e22461430ba4b
SHA1 f72ac26230038804c2142218e9b25abbbb486057
SHA256 62ef0a508738f9afa5f743a6b633958a446c521e77c8aab8df94a4f51cd3e395
SHA512 e55f07601e2a7a8444368f61fc4820ed30268d43e4b266657a0f581b6095e14d28ddc481b2f705a9c560ed276063bf4edd9e8644313a6daec084f443da58ef22

memory/1632-12-0x0000000074950000-0x000000007503E000-memory.dmp

\Users\Admin\AppData\Roaming\notepad.exe

MD5 b099f31ff999b0aac37e9de2e3160ce6
SHA1 03e35f01dbb3286c943e69771cd630757cd16bdf
SHA256 0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d
SHA512 833b9200854811d35a243938dd9f47bb53be3559716438afd91fb8eabf282c6a23d49b4a4e3391e9bccd339048a65d75ec18ba4e8b922caf46d70d83b8a98079

memory/2484-16-0x0000000000A20000-0x0000000000A32000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 01:03

Reported

2024-06-01 01:05

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Detects file containing reversed ASEP Autorun registry keys

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\notepad.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\notepad.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 936 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 4620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2596 wrote to memory of 4620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2596 wrote to memory of 4620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4896 wrote to memory of 3308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4896 wrote to memory of 3308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4896 wrote to memory of 3308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2596 wrote to memory of 440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\notepad.exe
PID 2596 wrote to memory of 440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\notepad.exe
PID 2596 wrote to memory of 440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\notepad.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe

"C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "notepad" /tr '"C:\Users\Admin\AppData\Roaming\notepad.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp598A.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "notepad" /tr '"C:\Users\Admin\AppData\Roaming\notepad.exe"'

C:\Users\Admin\AppData\Roaming\notepad.exe

"C:\Users\Admin\AppData\Roaming\notepad.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
N/A 127.0.0.1:7707 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 drasticqq.zapto.org udp
CA 198.44.140.183:8808 drasticqq.zapto.org tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
CA 198.44.140.183:1081 drasticqq.zapto.org tcp
N/A 127.0.0.1:7707 tcp
CA 198.44.140.183:1081 drasticqq.zapto.org tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 drasticqq.zapto.org udp
CA 198.44.140.183:8808 drasticqq.zapto.org tcp
CA 198.44.140.183:1081 drasticqq.zapto.org tcp
US 8.8.8.8:53 udp

Files

memory/936-0-0x0000000074A7E000-0x0000000074A7F000-memory.dmp

memory/936-1-0x0000000000D90000-0x0000000000DA2000-memory.dmp

memory/936-2-0x0000000074A70000-0x0000000075220000-memory.dmp

memory/936-3-0x0000000005750000-0x00000000057EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp598A.tmp.bat

MD5 63a7aa50c6ec025cbc52b3011cbfbb71
SHA1 41408c7c329e862723b63c5c597b9a62377c3b12
SHA256 5a5133d25e1591908f8c7c8e05bf120c23e7e300fa631bc1c893a01d93b92c53
SHA512 2ded0d52cc0c3eba2f828689ca4ce9b66fa9ba81ef0809c7dea035e3356b91456c5bc5ccbda61cb02e7e7a31efa8bd30f0c1a9f5b3751b2a6c2b4d05714bcbc4

memory/936-9-0x0000000074A70000-0x0000000075220000-memory.dmp

C:\Users\Admin\AppData\Roaming\notepad.exe

MD5 b099f31ff999b0aac37e9de2e3160ce6
SHA1 03e35f01dbb3286c943e69771cd630757cd16bdf
SHA256 0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d
SHA512 833b9200854811d35a243938dd9f47bb53be3559716438afd91fb8eabf282c6a23d49b4a4e3391e9bccd339048a65d75ec18ba4e8b922caf46d70d83b8a98079

memory/440-13-0x0000000074A70000-0x0000000075220000-memory.dmp

memory/440-14-0x0000000074A70000-0x0000000075220000-memory.dmp