Malware Analysis Report

2024-09-22 07:44

Sample ID 240602-1hl7xsfh4s
Target eeede.bat
SHA256 95b41051910dea604a28a991b14f321d51706f22630fb555462b6720a9668c81
Tags
asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

95b41051910dea604a28a991b14f321d51706f22630fb555462b6720a9668c81

Threat Level: Known bad

The file eeede.bat was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat

AsyncRat

Async RAT payload

Executes dropped EXE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-02 21:39

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 21:39

Reported

2024-06-02 21:41

Platform

win11-20240508-en

Max time kernel

90s

Max time network

95s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eeede.bat"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\x.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4416 wrote to memory of 2996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 4416 wrote to memory of 2996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 4416 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 4416 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 4416 wrote to memory of 4628 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\x.exe
PID 4416 wrote to memory of 4628 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\x.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eeede.bat"

C:\Windows\system32\findstr.exe

findstr /e "'v" "C:\Users\Admin\AppData\Local\Temp\eeede.bat"

C:\Windows\system32\cscript.exe

cscript //nologo C:\Users\Admin\AppData\Local\Temp\x.vbs

C:\Users\Admin\AppData\Local\Temp\x.exe

C:\Users\Admin\AppData\Local\Temp\x.exe

Network

Files

C:\Users\Admin\AppData\Local\Temp\x

MD5 bdbe219a1e044dc99355557ce75a95da
SHA1 8caa44b9e4751ff3c9b8da6ed49e5c4297b274ef
SHA256 677010b404d33ec90e208c02b3a4bb08e1a179e941450daa40450d7ccca29ee1
SHA512 9cffa62844215cd848d4f423417da1da9b3a37cefb8d30a4180815ed6ceb0478cd195370b95b19ebeff42126809f9ddf9b11a747fd1e8b078e85d9a8d86b72db

C:\Users\Admin\AppData\Local\Temp\x.vbs

MD5 ec9a2fb69a379d913a4e0a953cd3b97c
SHA1 a0303ed9f787c042071a1286bba43a5bbdd0679e
SHA256 cf8268d158bb819ef158ff6ccbed64d5e379148a0adb1f73a082a01d56d0286b
SHA512 fef8e24a680991046bd7dacd6079c7e48c3031fe46caae722ea93797ee16c052073ba97959e992ea71ac7ab72fbcedaa5cf4a410657aac4c10ad24de6935e9d6

C:\Users\Admin\AppData\Local\Temp\x

MD5 c7570834131ffa4c1f8df8d328462d87
SHA1 60075abcfce0ab3164ba880da43029b71a70df3f
SHA256 ee318691037bf98979be096b96db114ad4bc6f1a391898b2944232b825e5805b
SHA512 eb3a0ab57ee21a1cf335d2bc35f08f1d8f3adaae9d1051eda63dd89b6498afd5e0c23af823e76c3aa5eda72fb2bf002359feb49651ada03a189e4fd93e71d9bd

C:\Users\Admin\AppData\Local\Temp\x.exe

MD5 5b14dedfd50e82d4a2e0a9e67b45f8ce
SHA1 5cc49f558d35cdafe40697d3021420594479ccf6
SHA256 b0b54e3ddaac2542f54ac9748ff99b5624460fd0164ed24766232d8d2afe3d24
SHA512 c1d16260ccb6bb45447b5c06a1487babfaa58f19f9d72439a5a04b3227083961d69bd4cf35c058f4a28682aac8e53a67238032c470101f51f76a3b39a63b2d7a

memory/4628-2192-0x00007FFD4C033000-0x00007FFD4C035000-memory.dmp

memory/4628-2193-0x00000000004C0000-0x00000000004E2000-memory.dmp

memory/4628-2195-0x00007FFD4C030000-0x00007FFD4CAF2000-memory.dmp

memory/4628-2196-0x00007FFD4C030000-0x00007FFD4CAF2000-memory.dmp