Malware Analysis Report

2024-09-22 07:15

Sample ID 240601-s4smtsgd84
Target WindowsDesktopGraphics.exe
SHA256 130d9a370a0719f5012e4f12ae8e023b40cc80357ac235f9bed60bfd7acf9297
Tags
rat default asyncrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

130d9a370a0719f5012e4f12ae8e023b40cc80357ac235f9bed60bfd7acf9297

Threat Level: Known bad

The file WindowsDesktopGraphics.exe was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat

Async RAT payload

AsyncRat

Asyncrat family

Async RAT payload

Checks computer location settings

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-01 15:41

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 15:41

Reported

2024-06-01 15:43

Platform

win7-20240508-en

Max time kernel

127s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WindowsDesktopGraphics.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\windowsdesktopgraphics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsDesktopGraphics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\windowsdesktopgraphics.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\windowsdesktopgraphics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2056 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\WindowsDesktopGraphics.exe C:\Windows\System32\cmd.exe
PID 2056 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\WindowsDesktopGraphics.exe C:\Windows\System32\cmd.exe
PID 2056 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\WindowsDesktopGraphics.exe C:\Windows\System32\cmd.exe
PID 2056 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\WindowsDesktopGraphics.exe C:\Windows\system32\cmd.exe
PID 2056 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\WindowsDesktopGraphics.exe C:\Windows\system32\cmd.exe
PID 2056 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\WindowsDesktopGraphics.exe C:\Windows\system32\cmd.exe
PID 2900 wrote to memory of 3068 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2900 wrote to memory of 3068 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2900 wrote to memory of 3068 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2924 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2924 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2924 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2924 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\windowsdesktopgraphics.exe
PID 2924 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\windowsdesktopgraphics.exe
PID 2924 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\windowsdesktopgraphics.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\WindowsDesktopGraphics.exe

"C:\Users\Admin\AppData\Local\Temp\WindowsDesktopGraphics.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windowsdesktopgraphics" /tr '"C:\Users\Admin\AppData\Roaming\windowsdesktopgraphics.exe"' & exit

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp32D3.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "windowsdesktopgraphics" /tr '"C:\Users\Admin\AppData\Roaming\windowsdesktopgraphics.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\windowsdesktopgraphics.exe

"C:\Users\Admin\AppData\Roaming\windowsdesktopgraphics.exe"

Network

Country Destination Domain Proto
N/A 10.8.3.238:59656 tcp
N/A 10.8.3.238:59656 tcp
N/A 10.8.3.238:59656 tcp
N/A 10.8.3.238:59656 tcp
N/A 10.8.3.238:59656 tcp
N/A 10.8.3.238:59656 tcp

Files

memory/2056-0-0x000007FEF5E93000-0x000007FEF5E94000-memory.dmp

memory/2056-1-0x0000000000900000-0x0000000000918000-memory.dmp

memory/2056-3-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp32D3.tmp.bat

MD5 475115b70a31b6f4db5cd1c7d5b8206c
SHA1 fa09e99449d0a70f4a05e2686e30f44a47b56aca
SHA256 752c84fc4937004b6726a5a43e7ee5e876e45687bdd887fae08de171e635c073
SHA512 bd007c83ccac747788ca889f6272359bb31e189cab9614f93fbc309b97a54b9c8d140929a9a7a1db0bf2626dcb98d647c147caf366a21fab2b9f01cd75544783

memory/2056-12-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

memory/2056-14-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

C:\Users\Admin\AppData\Roaming\windowsdesktopgraphics.exe

MD5 33f354fd83e3b7cfc9dec200a8cee01d
SHA1 43cc469faf3e45ea118af98a4bea80e68946b542
SHA256 130d9a370a0719f5012e4f12ae8e023b40cc80357ac235f9bed60bfd7acf9297
SHA512 c2551ebf93a6719896d486440409bbea60c166e26fc21a622b869bcf5041225643aa5c35d108e12fe857a893e1fe21e9238d556b586f93927cc7339b716abdf9

memory/2788-18-0x0000000000070000-0x0000000000088000-memory.dmp

C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

MD5 cf759e4c5f14fe3eec41b87ed756cea8
SHA1 c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256 c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512 c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 15:41

Reported

2024-06-01 15:43

Platform

win10v2004-20240426-en

Max time kernel

126s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WindowsDesktopGraphics.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WindowsDesktopGraphics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\windowsdesktopgraphics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsDesktopGraphics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsDesktopGraphics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsDesktopGraphics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsDesktopGraphics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsDesktopGraphics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsDesktopGraphics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsDesktopGraphics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsDesktopGraphics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsDesktopGraphics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsDesktopGraphics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsDesktopGraphics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsDesktopGraphics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsDesktopGraphics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsDesktopGraphics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsDesktopGraphics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsDesktopGraphics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsDesktopGraphics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsDesktopGraphics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsDesktopGraphics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsDesktopGraphics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsDesktopGraphics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windowsdesktopgraphics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windowsdesktopgraphics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windowsdesktopgraphics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windowsdesktopgraphics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windowsdesktopgraphics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windowsdesktopgraphics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windowsdesktopgraphics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsDesktopGraphics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\windowsdesktopgraphics.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\windowsdesktopgraphics.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\WindowsDesktopGraphics.exe

"C:\Users\Admin\AppData\Local\Temp\WindowsDesktopGraphics.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windowsdesktopgraphics" /tr '"C:\Users\Admin\AppData\Roaming\windowsdesktopgraphics.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4006.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "windowsdesktopgraphics" /tr '"C:\Users\Admin\AppData\Roaming\windowsdesktopgraphics.exe"'

C:\Users\Admin\AppData\Roaming\windowsdesktopgraphics.exe

"C:\Users\Admin\AppData\Roaming\windowsdesktopgraphics.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 10.8.3.238:59656 tcp
N/A 10.8.3.238:59656 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
N/A 10.8.3.238:59656 tcp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
N/A 10.8.3.238:59656 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp
N/A 10.8.3.238:59656 tcp
N/A 10.8.3.238:59656 tcp

Files

memory/2036-0-0x0000000000AE0000-0x0000000000AF8000-memory.dmp

memory/2036-1-0x00007FFA50443000-0x00007FFA50445000-memory.dmp

memory/2036-3-0x00007FFA50440000-0x00007FFA50F01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4006.tmp.bat

MD5 9a6ce3289fcb878fe503fdf9334d6715
SHA1 c50104677093c879d963d9b11791a811436658c1
SHA256 6377a230169fbddc8277339b20175d829413802e3d02eaa3d27a1cc922428419
SHA512 8c073e6e52327d32a295282b1e83ae4ddbbd80ccbe571eebdb7cdb900a52d0e960a775a4ac64977454ab99cbaaec9db53824143dda487b85ac93b9497fad0550

C:\Users\Admin\AppData\Roaming\windowsdesktopgraphics.exe

MD5 33f354fd83e3b7cfc9dec200a8cee01d
SHA1 43cc469faf3e45ea118af98a4bea80e68946b542
SHA256 130d9a370a0719f5012e4f12ae8e023b40cc80357ac235f9bed60bfd7acf9297
SHA512 c2551ebf93a6719896d486440409bbea60c166e26fc21a622b869bcf5041225643aa5c35d108e12fe857a893e1fe21e9238d556b586f93927cc7339b716abdf9

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\windowsdesktopgraphics.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

MD5 cf759e4c5f14fe3eec41b87ed756cea8
SHA1 c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256 c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512 c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

memory/2036-14-0x00007FFA50440000-0x00007FFA50F01000-memory.dmp