Malware Analysis Report

2024-09-22 07:45

Sample ID 240603-elhg9abh78
Target XBinderOutput.exe
SHA256 5cf263079a4b839244985caa05ac2a3736b28fd23e300a45492fb068c626905b
Tags
asyncrat default discovery execution persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5cf263079a4b839244985caa05ac2a3736b28fd23e300a45492fb068c626905b

Threat Level: Known bad

The file XBinderOutput.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat default discovery execution persistence rat

AsyncRat

Async RAT payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks installed software on the system

Adds Run key to start application

Looks up external IP address via web service

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-03 04:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 04:01

Reported

2024-06-03 04:03

Platform

win11-20240426-en

Max time kernel

82s

Max time network

82s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\LXLauncher.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows\CurrentVersion\Run\LXLauncher = "C:\\Users\\Admin\\AppData\\Local\\LXLauncher.exe" C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\LXLauncher.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\LXLauncher.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1376 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe C:\Windows\System32\schtasks.exe
PID 1376 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe C:\Windows\System32\schtasks.exe
PID 1376 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe C:\Users\Admin\AppData\Local\LXLauncher.exe
PID 1376 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe C:\Users\Admin\AppData\Local\LXLauncher.exe
PID 1376 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe
PID 1376 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe
PID 1220 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\LXLauncher.exe C:\Windows\system32\cmd.exe
PID 1220 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\LXLauncher.exe C:\Windows\system32\cmd.exe
PID 2200 wrote to memory of 1600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2200 wrote to memory of 1600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe

"C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\LXLauncher.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /F /TN "LXLauncher" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\LXLauncher.exe" /RL HIGHEST

C:\Users\Admin\AppData\Local\LXLauncher.exe

"C:\Users\Admin\AppData\Local\LXLauncher.exe"

C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe

"C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp90D1.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
DE 193.161.193.99:44454 tcp
DE 193.161.193.99:44454 tcp
DE 193.161.193.99:44454 tcp

Files

memory/1376-0-0x00007FFF0D8F3000-0x00007FFF0D8F5000-memory.dmp

memory/1376-1-0x0000000000840000-0x00000000008B4000-memory.dmp

memory/1376-2-0x00007FFF0D8F0000-0x00007FFF0E3B2000-memory.dmp

memory/2744-3-0x00007FFF0D8F0000-0x00007FFF0E3B2000-memory.dmp

memory/2744-4-0x00007FFF0D8F0000-0x00007FFF0E3B2000-memory.dmp

memory/2744-5-0x00007FFF0D8F0000-0x00007FFF0E3B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0bcefopx.4qx.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2744-14-0x00000188E91A0000-0x00000188E91C2000-memory.dmp

memory/2744-15-0x00007FFF0D8F0000-0x00007FFF0E3B2000-memory.dmp

memory/2744-18-0x00007FFF0D8F0000-0x00007FFF0E3B2000-memory.dmp

memory/2744-19-0x00007FFF0D8F0000-0x00007FFF0E3B2000-memory.dmp

C:\Users\Admin\AppData\Local\LXLauncher.exe

MD5 b150788393089ac23bef96dc6dde5968
SHA1 ac70e22ad71cbb6e61ced55402921c48fd00490b
SHA256 670bb5af15517a0359d172b04bdadf247a7e43cd8c10d7e441990eeca2de507b
SHA512 4a64fd82e8ce7af0c7238ef3d82647e6543007b4bf81e625454e7a8016aeb5b22087dcf8916d3e3c3dea48a50d2218289bbc25136200134ed36f47656e870442

memory/1220-31-0x00000000006D0000-0x000000000070A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XBinderOutput.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

memory/1376-37-0x00007FFF0D8F0000-0x00007FFF0E3B2000-memory.dmp

memory/1220-39-0x000000001CB60000-0x000000001CBD6000-memory.dmp

memory/1220-40-0x000000001B440000-0x000000001B44E000-memory.dmp

memory/1220-41-0x000000001CB00000-0x000000001CB1E000-memory.dmp

memory/1220-42-0x000000001C8E0000-0x000000001C946000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp90D1.tmp.bat

MD5 97953d6f8af94b730f336c81ecb13c98
SHA1 8e5abc39aec30aeb819a2c9b458bcfeb3037b082
SHA256 654339c11879f7bc26883203e80a2e4766f0b54d101b18b13c32848e52c3e28e
SHA512 6b4cd97f43218e19754521ad8f7e527c0a42072ce439b2d54ec99dd8ceb814abee46f27a26aba28fe562c78800ac57157a5deed468a49678700c9599fb4f21a3