Malware Analysis Report

2024-09-22 06:57

Sample ID 240617-gw3x2sxgja
Target sachost.exe
SHA256 76abd8184eddb0834ba5174e9520b060835a99dc3c7a07ef11e44088c798a7e8
Tags
asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

76abd8184eddb0834ba5174e9520b060835a99dc3c7a07ef11e44088c798a7e8

Threat Level: Known bad

The file sachost.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat

AsyncRat

Asyncrat family

Async RAT payload

Async RAT payload

Checks computer location settings

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Creates scheduled task(s)

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-17 06:10

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 06:10

Reported

2024-06-17 06:12

Platform

win10v2004-20240611-en

Max time kernel

133s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\sachost.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sachost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\$77-sachost.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\taskmgr.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sachost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sachost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sachost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sachost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sachost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sachost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sachost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sachost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sachost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sachost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sachost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sachost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sachost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sachost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sachost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sachost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sachost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sachost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sachost.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sachost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sachost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$77-sachost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$77-sachost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\sachost.exe

"C:\Users\Admin\AppData\Local\Temp\sachost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-sachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-sachost.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3F4B.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "$77-sachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-sachost.exe"'

C:\Users\Admin\AppData\Roaming\$77-sachost.exe

"C:\Users\Admin\AppData\Roaming\$77-sachost.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
BE 88.221.83.186:443 www.bing.com tcp
US 8.8.8.8:53 186.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 environmental-blank.gl.at.ply.gg udp
US 147.185.221.19:25944 environmental-blank.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 147.185.221.19:25944 environmental-blank.gl.at.ply.gg tcp

Files

memory/1428-0-0x00007FFD6C883000-0x00007FFD6C885000-memory.dmp

memory/1428-1-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/1428-2-0x00007FFD6C880000-0x00007FFD6D341000-memory.dmp

memory/1428-7-0x00007FFD6C880000-0x00007FFD6D341000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3F4B.tmp.bat

MD5 3d8e240b4d8d88a555670cc262aedba9
SHA1 2ce8714379be04ce99d0d993b55c6cc6b9a34ebb
SHA256 1ee76d5c92903c6725d9154bbcaba17bbaca94fe333ff040038dc34da4d2d19f
SHA512 64bd2e0cfb68a344c90d5b96712fd9cfbae81af6b741ee2eaee9237be45e1696330846663c67e662dc3b76e57f29d7cbde204bbb5be8b887f864546775a11bf8

C:\Users\Admin\AppData\Roaming\$77-sachost.exe

MD5 1dd350c26bb22547d4b15f12d94ab683
SHA1 22677617c917f64ba53c2dae0d58cce49ee2366d
SHA256 76abd8184eddb0834ba5174e9520b060835a99dc3c7a07ef11e44088c798a7e8
SHA512 9950e76fe089ab9dc9a505361620da3e93606d37c69e7bf7900f2405695b79238324e24db1c99223680be8ec772486d10695096c14dc3d3f96aae2d2b7425788

memory/1428-12-0x00007FFD6C880000-0x00007FFD6D341000-memory.dmp

memory/1348-13-0x000001C4DF160000-0x000001C4DF161000-memory.dmp

memory/1348-14-0x000001C4DF160000-0x000001C4DF161000-memory.dmp

memory/1348-15-0x000001C4DF160000-0x000001C4DF161000-memory.dmp

memory/1348-22-0x000001C4DF160000-0x000001C4DF161000-memory.dmp

memory/1348-25-0x000001C4DF160000-0x000001C4DF161000-memory.dmp

memory/1348-24-0x000001C4DF160000-0x000001C4DF161000-memory.dmp

memory/1348-23-0x000001C4DF160000-0x000001C4DF161000-memory.dmp

memory/1348-21-0x000001C4DF160000-0x000001C4DF161000-memory.dmp

memory/1348-20-0x000001C4DF160000-0x000001C4DF161000-memory.dmp

memory/1348-19-0x000001C4DF160000-0x000001C4DF161000-memory.dmp

memory/4636-26-0x000000001B240000-0x000000001B2B6000-memory.dmp

memory/4636-27-0x0000000002840000-0x0000000002874000-memory.dmp

memory/4636-28-0x00000000029B0000-0x00000000029CE000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 06:10

Reported

2024-06-17 06:12

Platform

win7-20240508-en

Max time kernel

25s

Max time network

25s

Command Line

"C:\Users\Admin\AppData\Local\Temp\sachost.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\$77-sachost.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sachost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sachost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$77-sachost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$77-sachost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1732 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\sachost.exe C:\Windows\System32\cmd.exe
PID 1732 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\sachost.exe C:\Windows\System32\cmd.exe
PID 1732 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\sachost.exe C:\Windows\System32\cmd.exe
PID 1732 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\sachost.exe C:\Windows\system32\cmd.exe
PID 1732 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\sachost.exe C:\Windows\system32\cmd.exe
PID 1732 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\sachost.exe C:\Windows\system32\cmd.exe
PID 2716 wrote to memory of 2760 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2716 wrote to memory of 2760 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2716 wrote to memory of 2760 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2500 wrote to memory of 2300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2500 wrote to memory of 2300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2500 wrote to memory of 2300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2500 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\$77-sachost.exe
PID 2500 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\$77-sachost.exe
PID 2500 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\$77-sachost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\sachost.exe

"C:\Users\Admin\AppData\Local\Temp\sachost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-sachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-sachost.exe"' & exit

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1999.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "$77-sachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-sachost.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\$77-sachost.exe

"C:\Users\Admin\AppData\Roaming\$77-sachost.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

Network

Country Destination Domain Proto
US 8.8.8.8:53 environmental-blank.gl.at.ply.gg udp
US 8.8.8.8:53 environmental-blank.gl.at.ply.gg udp

Files

memory/1732-0-0x000007FEF5D83000-0x000007FEF5D84000-memory.dmp

memory/1732-1-0x0000000000360000-0x0000000000376000-memory.dmp

memory/1732-2-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

memory/1732-3-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1999.tmp.bat

MD5 3b51f9dd7bc3c4907c68f87fef8eea99
SHA1 12ae2737af94051a3f4d83344f83334fd4f01d7b
SHA256 869d5aaecae654d59f58bc6489c02579d48c3d3a5acc3e03ea2b2cac5e428b56
SHA512 f28c21cb701568cd226ead0411ba0b3b91068415dbf15560264ac21e3e94c83b494f2d8bcbae380218428153fe8886c7c71734037f7c246660115baf2c72f25b

memory/1732-13-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

C:\Users\Admin\AppData\Roaming\$77-sachost.exe

MD5 1dd350c26bb22547d4b15f12d94ab683
SHA1 22677617c917f64ba53c2dae0d58cce49ee2366d
SHA256 76abd8184eddb0834ba5174e9520b060835a99dc3c7a07ef11e44088c798a7e8
SHA512 9950e76fe089ab9dc9a505361620da3e93606d37c69e7bf7900f2405695b79238324e24db1c99223680be8ec772486d10695096c14dc3d3f96aae2d2b7425788

memory/2628-17-0x00000000003A0000-0x00000000003B6000-memory.dmp

memory/2556-18-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2556-19-0x0000000140000000-0x00000001405E8000-memory.dmp