Malware Analysis Report

2024-08-06 13:14

Sample ID 240616-ssshpaybqc
Target cum.exe
SHA256 97ef8ed044f3e29f2d56193a52aa607e33eb990210cea4cdac6fbf7285fc733d
Tags
rat default asyncrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

97ef8ed044f3e29f2d56193a52aa607e33eb990210cea4cdac6fbf7285fc733d

Threat Level: Known bad

The file cum.exe was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat

Asyncrat family

Async RAT payload

AsyncRat

Async RAT payload

Checks computer location settings

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-16 15:23

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 15:23

Reported

2024-06-16 15:26

Platform

win10v2004-20240611-en

Max time kernel

131s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cum.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cum.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\RAR.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cum.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RAR.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\cum.exe C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\cum.exe C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\cum.exe C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\cum.exe C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\cum.exe C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\cum.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 4704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2592 wrote to memory of 4704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2592 wrote to memory of 4704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3748 wrote to memory of 4136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3748 wrote to memory of 4136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3748 wrote to memory of 4136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2592 wrote to memory of 4808 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\RAR.exe
PID 2592 wrote to memory of 4808 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\RAR.exe
PID 2592 wrote to memory of 4808 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\RAR.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cum.exe

"C:\Users\Admin\AppData\Local\Temp\cum.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "RAR" /tr '"C:\Users\Admin\AppData\Roaming\RAR.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7956.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "RAR" /tr '"C:\Users\Admin\AppData\Roaming\RAR.exe"'

C:\Users\Admin\AppData\Roaming\RAR.exe

"C:\Users\Admin\AppData\Roaming\RAR.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
N/A 10.6.0.86:6606 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
N/A 10.6.0.86:7707 tcp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
N/A 10.6.0.86:7707 tcp
N/A 10.6.0.86:7707 tcp
N/A 10.6.0.86:7707 tcp

Files

memory/1244-0-0x0000000074ABE000-0x0000000074ABF000-memory.dmp

memory/1244-1-0x0000000000B30000-0x0000000000B42000-memory.dmp

memory/1244-2-0x0000000074AB0000-0x0000000075260000-memory.dmp

memory/1244-3-0x0000000005500000-0x000000000559C000-memory.dmp

memory/1244-8-0x0000000074AB0000-0x0000000075260000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7956.tmp.bat

MD5 c0dfa17f89910af740ce3e55f3b85d03
SHA1 357b25c6575b7b984d842b56995c83b2839e9ecc
SHA256 b7efb551b0cdf5da72d460e9c0d37a21d0c1cb47abc74372cec621eceaa3011f
SHA512 872536ce83fc7d1810d14af59a5ff3dd18933b670060b3e88fdb3abd6806574303bbc9dcf41b1a453b592c3a510d239cba5635df62824cc925d8c8565ccd1ac9

C:\Users\Admin\AppData\Roaming\RAR.exe

MD5 910e4d86c5f28a323866c143789749db
SHA1 f8403807b7eb02a4a4021675c7a3d4aefc975527
SHA256 97ef8ed044f3e29f2d56193a52aa607e33eb990210cea4cdac6fbf7285fc733d
SHA512 8c577c27c82f7c75ca8abf8879463e86917a077e39d45a720bbd84d670f82c41b61041c99b22d3bc6738c42260a9ca0e8e6c65c1f93eafd5a529ce26dd31ebe9

memory/4808-13-0x00000000742FE000-0x00000000742FF000-memory.dmp

memory/1388-14-0x000001E4D0090000-0x000001E4D00A0000-memory.dmp

memory/1388-30-0x000001E4D0190000-0x000001E4D01A0000-memory.dmp

memory/1388-46-0x000001E4D8780000-0x000001E4D8781000-memory.dmp

memory/1388-47-0x000001E4D87B0000-0x000001E4D87B1000-memory.dmp

memory/1388-48-0x000001E4D87B0000-0x000001E4D87B1000-memory.dmp

memory/1388-49-0x000001E4D87B0000-0x000001E4D87B1000-memory.dmp

memory/1388-50-0x000001E4D87B0000-0x000001E4D87B1000-memory.dmp

memory/1388-51-0x000001E4D87B0000-0x000001E4D87B1000-memory.dmp

memory/1388-52-0x000001E4D87B0000-0x000001E4D87B1000-memory.dmp

memory/1388-53-0x000001E4D87B0000-0x000001E4D87B1000-memory.dmp

memory/1388-54-0x000001E4D87B0000-0x000001E4D87B1000-memory.dmp

memory/1388-55-0x000001E4D87B0000-0x000001E4D87B1000-memory.dmp

memory/1388-56-0x000001E4D87B0000-0x000001E4D87B1000-memory.dmp

memory/1388-58-0x000001E4D83C0000-0x000001E4D83C1000-memory.dmp

memory/1388-57-0x000001E4D83D0000-0x000001E4D83D1000-memory.dmp

memory/1388-60-0x000001E4D83D0000-0x000001E4D83D1000-memory.dmp

memory/1388-63-0x000001E4D83C0000-0x000001E4D83C1000-memory.dmp

memory/1388-66-0x000001E4D8300000-0x000001E4D8301000-memory.dmp

memory/1388-78-0x000001E4D8500000-0x000001E4D8501000-memory.dmp

memory/1388-80-0x000001E4D8510000-0x000001E4D8511000-memory.dmp

memory/1388-82-0x000001E4D8620000-0x000001E4D8621000-memory.dmp

memory/1388-81-0x000001E4D8510000-0x000001E4D8511000-memory.dmp