Malware Analysis Report

2024-09-22 07:08

Sample ID 240601-zt1zsaff32
Target One-armed Hacker.exe
SHA256 1927065a2b1ff2bd296dabbc9c444552409450d1d3e567ac5b3d9d4a24cb06fe
Tags
asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1927065a2b1ff2bd296dabbc9c444552409450d1d3e567ac5b3d9d4a24cb06fe

Threat Level: Known bad

The file One-armed Hacker.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat

AsyncRat

Async RAT payload

Asyncrat family

Async RAT payload

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

Delays execution with timeout.exe

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-01 21:01

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 21:01

Reported

2024-06-01 21:04

Platform

win7-20240221-en

Max time kernel

148s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Intel WIFI.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Intel WIFI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1712 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2528 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2528 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2528 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3008 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3008 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3008 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3008 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3008 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Intel WIFI.exe
PID 3008 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Intel WIFI.exe
PID 3008 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Intel WIFI.exe
PID 3008 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Intel WIFI.exe
PID 3008 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Intel WIFI.exe
PID 3008 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Intel WIFI.exe
PID 3008 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Intel WIFI.exe

Processes

C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe

"C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Intel WIFI" /tr '"C:\Users\Admin\AppData\Roaming\Intel WIFI.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpAB2D.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Intel WIFI" /tr '"C:\Users\Admin\AppData\Roaming\Intel WIFI.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Intel WIFI.exe

"C:\Users\Admin\AppData\Roaming\Intel WIFI.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp

Files

memory/1712-0-0x00000000745EE000-0x00000000745EF000-memory.dmp

memory/1712-1-0x00000000000D0000-0x00000000000E2000-memory.dmp

memory/1712-2-0x00000000745E0000-0x0000000074CCE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAB2D.tmp.bat

MD5 387872e894519b3b91df99835dfb83b9
SHA1 8e6a008e107c5850a3e3312cc2f7f40f405acc4f
SHA256 80fbcf3a34317c29e786714da3081e0a51f9389191acfe71740bed774bda7b31
SHA512 dcf306cc58040f136014f753143fc948fcc1297a8ae537a7a66d9a63465dac478b1ad6071b17095c188f7c337d4681982ea331577b1572d190b623d5ab80a3f0

memory/1712-12-0x00000000745E0000-0x0000000074CCE000-memory.dmp

\Users\Admin\AppData\Roaming\Intel WIFI.exe

MD5 8753bac20e412415ebee30d7bbcd88fd
SHA1 682558771fc44df1eaa76fefb01a8a5e4b6e1d77
SHA256 1927065a2b1ff2bd296dabbc9c444552409450d1d3e567ac5b3d9d4a24cb06fe
SHA512 efa3003fa957e907804c0c651c8e35a95422b1752efad848aa8df6b0924bc776c4777823f8dd03ba7adca963b4be85c9692d515694c2867786f2b7afd9e4e8f5

memory/2420-16-0x0000000000850000-0x0000000000862000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 21:01

Reported

2024-06-01 21:02

Platform

win10v2004-20240426-en

Max time kernel

67s

Max time network

66s

Command Line

"C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Intel WIFI.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Intel WIFI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4536 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe C:\Windows\SysWOW64\cmd.exe
PID 4536 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe C:\Windows\SysWOW64\cmd.exe
PID 4536 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe C:\Windows\SysWOW64\cmd.exe
PID 4536 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe C:\Windows\SysWOW64\cmd.exe
PID 4536 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe C:\Windows\SysWOW64\cmd.exe
PID 4536 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 2384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1496 wrote to memory of 2384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1496 wrote to memory of 2384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1428 wrote to memory of 4052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1428 wrote to memory of 4052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1428 wrote to memory of 4052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1428 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Intel WIFI.exe
PID 1428 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Intel WIFI.exe
PID 1428 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Intel WIFI.exe

Processes

C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe

"C:\Users\Admin\AppData\Local\Temp\One-armed Hacker.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Intel WIFI" /tr '"C:\Users\Admin\AppData\Roaming\Intel WIFI.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp50CF.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Intel WIFI" /tr '"C:\Users\Admin\AppData\Roaming\Intel WIFI.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Intel WIFI.exe

"C:\Users\Admin\AppData\Roaming\Intel WIFI.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp

Files

memory/4536-0-0x000000007540E000-0x000000007540F000-memory.dmp

memory/4536-1-0x00000000008B0000-0x00000000008C2000-memory.dmp

memory/4536-2-0x0000000075400000-0x0000000075BB0000-memory.dmp

memory/4536-3-0x0000000005250000-0x00000000052B6000-memory.dmp

memory/4536-4-0x00000000056A0000-0x000000000573C000-memory.dmp

memory/4536-9-0x0000000075400000-0x0000000075BB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp50CF.tmp.bat

MD5 4f855eb7bae5f62b2e77745f673a2e14
SHA1 b034422f0e54d1d95e0ae1a1f1bfe2cfda66276b
SHA256 1c665ec9fdab18b88ab39e0ab118e46178c6d932e113edea906af4888d3db093
SHA512 c9ed616e3d0b13f1b9fe8e3fc219a063738eefdcfcce98b0c3f9c447408b7bb2aec43084bb64fed437c2b8bbc87c55e4c780ac1d968f6e5a4c91ce7f9dd23f56

C:\Users\Admin\AppData\Roaming\Intel WIFI.exe

MD5 8753bac20e412415ebee30d7bbcd88fd
SHA1 682558771fc44df1eaa76fefb01a8a5e4b6e1d77
SHA256 1927065a2b1ff2bd296dabbc9c444552409450d1d3e567ac5b3d9d4a24cb06fe
SHA512 efa3003fa957e907804c0c651c8e35a95422b1752efad848aa8df6b0924bc776c4777823f8dd03ba7adca963b4be85c9692d515694c2867786f2b7afd9e4e8f5

memory/2916-14-0x0000000075400000-0x0000000075BB0000-memory.dmp

memory/2916-15-0x0000000075400000-0x0000000075BB0000-memory.dmp