Analysis
-
max time kernel
133s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
17/06/2024, 06:10
Behavioral task
behavioral1
Sample
sachost.exe
Resource
win7-20240508-en
windows7-x64
13 signatures
150 seconds
Errors
Reason
Machine shutdown
General
-
Target
sachost.exe
-
Size
63KB
-
MD5
1dd350c26bb22547d4b15f12d94ab683
-
SHA1
22677617c917f64ba53c2dae0d58cce49ee2366d
-
SHA256
76abd8184eddb0834ba5174e9520b060835a99dc3c7a07ef11e44088c798a7e8
-
SHA512
9950e76fe089ab9dc9a505361620da3e93606d37c69e7bf7900f2405695b79238324e24db1c99223680be8ec772486d10695096c14dc3d3f96aae2d2b7425788
-
SSDEEP
1536:l8r+2kN5j5BnihYUbSh9XUfW7u9ydpqKmY7:yWX9BnaYUbSQfWtGz
Malware Config
Extracted
Family
asyncrat
Botnet
Default
C2
environmental-blank.gl.at.ply.gg:25944
Attributes
-
delay
1
-
install
true
-
install_file
$77-sachost.exe
-
install_folder
%AppData%
aes.plain
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x0009000000023479-10.dat family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation sachost.exe -
Executes dropped EXE 1 IoCs
pid Process 4636 $77-sachost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2636 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 684 timeout.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1428 sachost.exe 1428 sachost.exe 1428 sachost.exe 1428 sachost.exe 1428 sachost.exe 1428 sachost.exe 1428 sachost.exe 1428 sachost.exe 1428 sachost.exe 1428 sachost.exe 1428 sachost.exe 1428 sachost.exe 1428 sachost.exe 1428 sachost.exe 1428 sachost.exe 1428 sachost.exe 1428 sachost.exe 1428 sachost.exe 1428 sachost.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1348 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 1428 sachost.exe Token: SeDebugPrivilege 1428 sachost.exe Token: SeDebugPrivilege 4636 $77-sachost.exe Token: SeDebugPrivilege 4636 $77-sachost.exe Token: SeDebugPrivilege 1348 taskmgr.exe Token: SeSystemProfilePrivilege 1348 taskmgr.exe Token: SeCreateGlobalPrivilege 1348 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe 1348 taskmgr.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1428 wrote to memory of 3920 1428 sachost.exe 87 PID 1428 wrote to memory of 3920 1428 sachost.exe 87 PID 1428 wrote to memory of 2492 1428 sachost.exe 89 PID 1428 wrote to memory of 2492 1428 sachost.exe 89 PID 2492 wrote to memory of 684 2492 cmd.exe 91 PID 2492 wrote to memory of 684 2492 cmd.exe 91 PID 3920 wrote to memory of 2636 3920 cmd.exe 92 PID 3920 wrote to memory of 2636 3920 cmd.exe 92 PID 2492 wrote to memory of 4636 2492 cmd.exe 94 PID 2492 wrote to memory of 4636 2492 cmd.exe 94 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\sachost.exe"C:\Users\Admin\AppData\Local\Temp\sachost.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-sachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-sachost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "$77-sachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-sachost.exe"'3⤵
- Creates scheduled task(s)
PID:2636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3F4B.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:684
-
-
C:\Users\Admin\AppData\Roaming\$77-sachost.exe"C:\Users\Admin\AppData\Roaming\$77-sachost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4636
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1348
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
155B
MD53d8e240b4d8d88a555670cc262aedba9
SHA12ce8714379be04ce99d0d993b55c6cc6b9a34ebb
SHA2561ee76d5c92903c6725d9154bbcaba17bbaca94fe333ff040038dc34da4d2d19f
SHA51264bd2e0cfb68a344c90d5b96712fd9cfbae81af6b741ee2eaee9237be45e1696330846663c67e662dc3b76e57f29d7cbde204bbb5be8b887f864546775a11bf8
-
Filesize
63KB
MD51dd350c26bb22547d4b15f12d94ab683
SHA122677617c917f64ba53c2dae0d58cce49ee2366d
SHA25676abd8184eddb0834ba5174e9520b060835a99dc3c7a07ef11e44088c798a7e8
SHA5129950e76fe089ab9dc9a505361620da3e93606d37c69e7bf7900f2405695b79238324e24db1c99223680be8ec772486d10695096c14dc3d3f96aae2d2b7425788