Malware Analysis Report

2024-08-06 13:08

Sample ID 240616-sh2nlsxgqe
Target cum.exe
SHA256 97ef8ed044f3e29f2d56193a52aa607e33eb990210cea4cdac6fbf7285fc733d
Tags
rat default asyncrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

97ef8ed044f3e29f2d56193a52aa607e33eb990210cea4cdac6fbf7285fc733d

Threat Level: Known bad

The file cum.exe was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat

Asyncrat family

Async RAT payload

AsyncRat

Async RAT payload

Checks computer location settings

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-16 15:08

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 15:08

Reported

2024-06-16 15:11

Platform

win10-20240404-en

Max time kernel

146s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cum.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\RAR.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RAR.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 824 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\cum.exe C:\Windows\SysWOW64\cmd.exe
PID 824 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\cum.exe C:\Windows\SysWOW64\cmd.exe
PID 824 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\cum.exe C:\Windows\SysWOW64\cmd.exe
PID 824 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\cum.exe C:\Windows\SysWOW64\cmd.exe
PID 824 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\cum.exe C:\Windows\SysWOW64\cmd.exe
PID 824 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\cum.exe C:\Windows\SysWOW64\cmd.exe
PID 600 wrote to memory of 4656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 600 wrote to memory of 4656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 600 wrote to memory of 4656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4592 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4592 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4592 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 600 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\RAR.exe
PID 600 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\RAR.exe
PID 600 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\RAR.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cum.exe

"C:\Users\Admin\AppData\Local\Temp\cum.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "RAR" /tr '"C:\Users\Admin\AppData\Roaming\RAR.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7639.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "RAR" /tr '"C:\Users\Admin\AppData\Roaming\RAR.exe"'

C:\Users\Admin\AppData\Roaming\RAR.exe

"C:\Users\Admin\AppData\Roaming\RAR.exe"

Network

Country Destination Domain Proto
N/A 172.16.0.64:6606 tcp
N/A 10.6.0.86:7707 tcp
N/A 172.16.0.64:6606 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
N/A 192.168.0.118:7707 tcp
N/A 10.6.0.86:6606 tcp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp

Files

memory/824-0-0x000000007362E000-0x000000007362F000-memory.dmp

memory/824-1-0x00000000001E0000-0x00000000001F2000-memory.dmp

memory/824-2-0x0000000073620000-0x0000000073D0E000-memory.dmp

memory/824-3-0x0000000004AD0000-0x0000000004B6C000-memory.dmp

memory/824-8-0x0000000073620000-0x0000000073D0E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7639.tmp.bat

MD5 7b0424f069ace6d4f326ead7c4c4c95a
SHA1 7b484a0880ad3b47c098e5fd74f41d9dc4f9d91b
SHA256 e260fae75a5d6916043e813597cfcdb0b020f40083eb1cb6c6b977372d6bd4cc
SHA512 f56416f0f5ddf39d7daaec5a5d5f4fc0561f3b1ac336be44985855ddb09915942864e47d2c1b7c9d5982d36507c3ea954f6e2bb91fd37ee57afa99a9403e6f41

C:\Users\Admin\AppData\Roaming\RAR.exe

MD5 910e4d86c5f28a323866c143789749db
SHA1 f8403807b7eb02a4a4021675c7a3d4aefc975527
SHA256 97ef8ed044f3e29f2d56193a52aa607e33eb990210cea4cdac6fbf7285fc733d
SHA512 8c577c27c82f7c75ca8abf8879463e86917a077e39d45a720bbd84d670f82c41b61041c99b22d3bc6738c42260a9ca0e8e6c65c1f93eafd5a529ce26dd31ebe9

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 15:08

Reported

2024-06-16 15:11

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cum.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cum.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\RAR.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RAR.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1464 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\cum.exe C:\Windows\SysWOW64\cmd.exe
PID 1464 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\cum.exe C:\Windows\SysWOW64\cmd.exe
PID 1464 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\cum.exe C:\Windows\SysWOW64\cmd.exe
PID 1464 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\cum.exe C:\Windows\SysWOW64\cmd.exe
PID 1464 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\cum.exe C:\Windows\SysWOW64\cmd.exe
PID 1464 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\cum.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 4104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1888 wrote to memory of 4104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1888 wrote to memory of 4104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3576 wrote to memory of 3132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3576 wrote to memory of 3132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3576 wrote to memory of 3132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1888 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\RAR.exe
PID 1888 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\RAR.exe
PID 1888 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\RAR.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cum.exe

"C:\Users\Admin\AppData\Local\Temp\cum.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "RAR" /tr '"C:\Users\Admin\AppData\Roaming\RAR.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5340.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "RAR" /tr '"C:\Users\Admin\AppData\Roaming\RAR.exe"'

C:\Users\Admin\AppData\Roaming\RAR.exe

"C:\Users\Admin\AppData\Roaming\RAR.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
N/A 10.6.0.86:6606 tcp
N/A 172.16.0.64:6606 tcp
N/A 192.168.0.118:8808 tcp
N/A 172.16.0.64:6606 tcp
N/A 10.6.0.86:7707 tcp
N/A 192.168.0.118:7707 tcp

Files

memory/1464-0-0x000000007482E000-0x000000007482F000-memory.dmp

memory/1464-1-0x0000000000690000-0x00000000006A2000-memory.dmp

memory/1464-2-0x0000000074820000-0x0000000074FD0000-memory.dmp

memory/1464-3-0x0000000005090000-0x000000000512C000-memory.dmp

memory/1464-8-0x0000000074820000-0x0000000074FD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5340.tmp.bat

MD5 8421a79c805c358aa55f5dbb49778e10
SHA1 9f7d16c9077ca39054ad2bb4feb85fe309eda275
SHA256 eb3a0f1064b62bb171b9c51d27e046bd312f576409604673fa4a5aae8d78076f
SHA512 b9686dc9c52798d4bd5b0a7df9db929c46f39f5ca4d70a41d4e416f7f88e68137d2da25224ba7cd22e28a42dc42d3244802bab40fdb0018fca5be1910f48461a

C:\Users\Admin\AppData\Roaming\RAR.exe

MD5 910e4d86c5f28a323866c143789749db
SHA1 f8403807b7eb02a4a4021675c7a3d4aefc975527
SHA256 97ef8ed044f3e29f2d56193a52aa607e33eb990210cea4cdac6fbf7285fc733d
SHA512 8c577c27c82f7c75ca8abf8879463e86917a077e39d45a720bbd84d670f82c41b61041c99b22d3bc6738c42260a9ca0e8e6c65c1f93eafd5a529ce26dd31ebe9

memory/2604-13-0x0000000074770000-0x0000000074F20000-memory.dmp

memory/2604-14-0x0000000074770000-0x0000000074F20000-memory.dmp