Malware Analysis Report

2024-09-22 07:46

Sample ID 240603-hmdggafc9w
Target 2024-06-03_6a19e9bcb9badcac3e3c0d19544c5b75_megazord
SHA256 4a39e9845c1601089164eabecb6e903071d2a30cad1fde9461fe262046ff1a8d
Tags
execution persistence asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a39e9845c1601089164eabecb6e903071d2a30cad1fde9461fe262046ff1a8d

Threat Level: Known bad

The file 2024-06-03_6a19e9bcb9badcac3e3c0d19544c5b75_megazord was found to be: Known bad.

Malicious Activity Summary

execution persistence asyncrat default rat

AsyncRat

Detects executables attemping to enumerate video devices using WMI

Detects executables containing the string DcRatBy

Command and Scripting Interpreter: PowerShell

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-03 06:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 06:50

Reported

2024-06-03 06:53

Platform

win7-20240221-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_6a19e9bcb9badcac3e3c0d19544c5b75_megazord.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2024-06-03_6a19e9bcb9badcac3e3c0d19544c5b75_megazord = "C:\\Users\\Admin\\2024-06-03_6a19e9bcb9badcac3e3c0d19544c5b75_megazord.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-03_6a19e9bcb9badcac3e3c0d19544c5b75_megazord.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2172 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_6a19e9bcb9badcac3e3c0d19544c5b75_megazord.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 2172 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_6a19e9bcb9badcac3e3c0d19544c5b75_megazord.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 2172 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_6a19e9bcb9badcac3e3c0d19544c5b75_megazord.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 2172 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_6a19e9bcb9badcac3e3c0d19544c5b75_megazord.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2172 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_6a19e9bcb9badcac3e3c0d19544c5b75_megazord.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2172 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_6a19e9bcb9badcac3e3c0d19544c5b75_megazord.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2172 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_6a19e9bcb9badcac3e3c0d19544c5b75_megazord.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2172 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_6a19e9bcb9badcac3e3c0d19544c5b75_megazord.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-03_6a19e9bcb9badcac3e3c0d19544c5b75_megazord.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_6a19e9bcb9badcac3e3c0d19544c5b75_megazord.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

Network

N/A

Files

memory/2684-4-0x000007FEF620E000-0x000007FEF620F000-memory.dmp

memory/2684-6-0x000000001B320000-0x000000001B602000-memory.dmp

memory/2684-7-0x0000000001FB0000-0x0000000001FB8000-memory.dmp

memory/2684-8-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

memory/2684-9-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

memory/2684-10-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

memory/2684-11-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 06:50

Reported

2024-06-03 06:53

Platform

win10v2004-20240226-en

Max time kernel

143s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_6a19e9bcb9badcac3e3c0d19544c5b75_megazord.exe"

Signatures

AsyncRat

rat asyncrat

Detects executables attemping to enumerate video devices using WMI

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing the string DcRatBy

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2024-06-03_6a19e9bcb9badcac3e3c0d19544c5b75_megazord = "C:\\Users\\Admin\\2024-06-03_6a19e9bcb9badcac3e3c0d19544c5b75_megazord.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-03_6a19e9bcb9badcac3e3c0d19544c5b75_megazord.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2436 set thread context of 3916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_6a19e9bcb9badcac3e3c0d19544c5b75_megazord.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2436 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_6a19e9bcb9badcac3e3c0d19544c5b75_megazord.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_6a19e9bcb9badcac3e3c0d19544c5b75_megazord.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_6a19e9bcb9badcac3e3c0d19544c5b75_megazord.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2436 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_6a19e9bcb9badcac3e3c0d19544c5b75_megazord.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2436 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_6a19e9bcb9badcac3e3c0d19544c5b75_megazord.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2436 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_6a19e9bcb9badcac3e3c0d19544c5b75_megazord.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2436 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_6a19e9bcb9badcac3e3c0d19544c5b75_megazord.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2436 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_6a19e9bcb9badcac3e3c0d19544c5b75_megazord.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2436 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_6a19e9bcb9badcac3e3c0d19544c5b75_megazord.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2436 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_6a19e9bcb9badcac3e3c0d19544c5b75_megazord.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-03_6a19e9bcb9badcac3e3c0d19544c5b75_megazord.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_6a19e9bcb9badcac3e3c0d19544c5b75_megazord.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1400 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
HK 8.217.159.157:65503 tcp
US 8.8.8.8:53 157.159.217.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 webwhatsapp.cc udp
HK 8.217.140.110:65503 webwhatsapp.cc tcp
US 8.8.8.8:53 110.140.217.8.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
HK 8.217.159.157:65503 tcp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.187.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 234.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp

Files

memory/948-0-0x00007FF97B673000-0x00007FF97B675000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wenjznfx.t3w.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/948-10-0x0000022C9F690000-0x0000022C9F6B2000-memory.dmp

memory/948-11-0x00007FF97B670000-0x00007FF97C131000-memory.dmp

memory/948-13-0x00007FF97B670000-0x00007FF97C131000-memory.dmp

memory/3916-14-0x0000000000400000-0x0000000000416000-memory.dmp

memory/948-15-0x00007FF97B670000-0x00007FF97C131000-memory.dmp

memory/948-16-0x00007FF97B670000-0x00007FF97C131000-memory.dmp

memory/948-19-0x00007FF97B670000-0x00007FF97C131000-memory.dmp

memory/3916-20-0x00000000745BE000-0x00000000745BF000-memory.dmp

memory/3916-21-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/3916-24-0x0000000005F80000-0x000000000601C000-memory.dmp

memory/3916-25-0x00000000065D0000-0x0000000006B74000-memory.dmp

memory/3916-26-0x0000000006090000-0x00000000060F6000-memory.dmp

memory/3916-27-0x00000000745BE000-0x00000000745BF000-memory.dmp

memory/3916-28-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/3916-29-0x0000000007400000-0x0000000007476000-memory.dmp

memory/3916-30-0x00000000065A0000-0x00000000065B0000-memory.dmp

memory/3916-31-0x00000000073B0000-0x00000000073CE000-memory.dmp

memory/3916-32-0x00000000075F0000-0x0000000007682000-memory.dmp