Description	Indicator	Process	Target
PID 2400 wrote to memory of 2616	N/A	C:\Users\Admin\AppData\Local\Temp\935fa2bdf4a8b2b9d71c1e87dfda27ef.exe	C:\Windows\system32\WerFault.exe
PID 2400 wrote to memory of 2616	N/A	C:\Users\Admin\AppData\Local\Temp\935fa2bdf4a8b2b9d71c1e87dfda27ef.exe	C:\Windows\system32\WerFault.exe
PID 2400 wrote to memory of 2616	N/A	C:\Users\Admin\AppData\Local\Temp\935fa2bdf4a8b2b9d71c1e87dfda27ef.exe	C:\Windows\system32\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\935fa2bdf4a8b2b9d71c1e87dfda27ef.exe

"C:\Users\Admin\AppData\Local\Temp\935fa2bdf4a8b2b9d71c1e87dfda27ef.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2400 -s 776

Network

N/A

Files

memory/2400-0-0x000007FEF5BF3000-0x000007FEF5BF4000-memory.dmp

memory/2400-1-0x0000000000B70000-0x0000000000C90000-memory.dmp

memory/2400-2-0x000007FEF5BF0000-0x000007FEF65DC000-memory.dmp

memory/2400-3-0x000007FEF5BF0000-0x000007FEF65DC000-memory.dmp

memory/2400-4-0x000000001BE40000-0x000000001BF0C000-memory.dmp

memory/2400-5-0x000007FEF5BF0000-0x000007FEF65DC000-memory.dmp

memory/2400-6-0x000007FEF5BF0000-0x000007FEF65DC000-memory.dmp

memory/2400-7-0x000007FEF5BF3000-0x000007FEF5BF4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 15:29

Reported

2024-06-18 15:31

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\935fa2bdf4a8b2b9d71c1e87dfda27ef.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Checks computer location settings

Description	Indicator	Process	Target
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Local\Temp\935fa2bdf4a8b2b9d71c1e87dfda27ef.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Local\Temp\Infected.exe	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Infected.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\lulz.exe	N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\timeout.exe	N/A

Scheduled Task/Job: Scheduled Task

persistence execution

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\schtasks.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Infected.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Infected.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Infected.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Infected.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Infected.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Infected.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Infected.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Infected.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Infected.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Infected.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Infected.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Infected.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Infected.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Infected.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Infected.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Infected.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Infected.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Infected.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Infected.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Infected.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Infected.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Infected.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Infected.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\935fa2bdf4a8b2b9d71c1e87dfda27ef.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\Infected.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\Infected.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\lulz.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\lulz.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1416 wrote to memory of 5112	N/A	C:\Users\Admin\AppData\Local\Temp\935fa2bdf4a8b2b9d71c1e87dfda27ef.exe	C:\Users\Admin\AppData\Local\Temp\Infected.exe
PID 1416 wrote to memory of 5112	N/A	C:\Users\Admin\AppData\Local\Temp\935fa2bdf4a8b2b9d71c1e87dfda27ef.exe	C:\Users\Admin\AppData\Local\Temp\Infected.exe
PID 5112 wrote to memory of 3296	N/A	C:\Users\Admin\AppData\Local\Temp\Infected.exe	C:\Windows\System32\cmd.exe
PID 5112 wrote to memory of 3296	N/A	C:\Users\Admin\AppData\Local\Temp\Infected.exe	C:\Windows\System32\cmd.exe
PID 5112 wrote to memory of 4900	N/A	C:\Users\Admin\AppData\Local\Temp\Infected.exe	C:\Windows\system32\cmd.exe
PID 5112 wrote to memory of 4900	N/A	C:\Users\Admin\AppData\Local\Temp\Infected.exe	C:\Windows\system32\cmd.exe
PID 3296 wrote to memory of 3328	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\schtasks.exe
PID 3296 wrote to memory of 3328	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\schtasks.exe
PID 4900 wrote to memory of 3952	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 4900 wrote to memory of 3952	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 4900 wrote to memory of 3384	N/A	C:\Windows\system32\cmd.exe	C:\Users\Admin\AppData\Roaming\lulz.exe
PID 4900 wrote to memory of 3384	N/A	C:\Windows\system32\cmd.exe	C:\Users\Admin\AppData\Roaming\lulz.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\935fa2bdf4a8b2b9d71c1e87dfda27ef.exe

"C:\Users\Admin\AppData\Local\Temp\935fa2bdf4a8b2b9d71c1e87dfda27ef.exe"

C:\Users\Admin\AppData\Local\Temp\Infected.exe

"C:\Users\Admin\AppData\Local\Temp\Infected.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "lulz" /tr '"C:\Users\Admin\AppData\Roaming\lulz.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5AA3.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "lulz" /tr '"C:\Users\Admin\AppData\Roaming\lulz.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\lulz.exe

"C:\Users\Admin\AppData\Roaming\lulz.exe"

Network

Country	Destination	Domain	Proto
N/A	127.0.0.1:7771		tcp
US	8.8.8.8:53	doffuovouvvufoz97964d-39377.portmap.host	udp
N/A	127.0.0.1:7771		tcp
N/A	127.0.0.1:7771		tcp
US	8.8.8.8:53	doffuovouvvufoz97964d-39377.portmap.host	udp
N/A	127.0.0.1:7771		tcp
US	8.8.8.8:53	doffuovouvvufoz97964d-39377.portmap.host	udp
N/A	127.0.0.1:7771		tcp
N/A	127.0.0.1:7771		tcp
N/A	127.0.0.1:7771		tcp
US	8.8.8.8:53	doffuovouvvufoz97964d-39377.portmap.host	udp
US	8.8.8.8:53	doffuovouvvufoz97964d-39377.portmap.host	udp
US	8.8.8.8:53	doffuovouvvufoz97964d-39377.portmap.host	udp
US	8.8.8.8:53	doffuovouvvufoz97964d-39377.portmap.host	udp

Files

memory/1416-0-0x00007FFA4C3A3000-0x00007FFA4C3A5000-memory.dmp

memory/1416-1-0x000001A98D740000-0x000001A98D860000-memory.dmp

memory/1416-2-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

memory/1416-3-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

memory/1416-4-0x000001A9AABF0000-0x000001A9AACBC000-memory.dmp

memory/1416-6-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

memory/1416-7-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Infected.exe

MD5	b79066a5172f1508c1b9a8d02e9edd29
SHA1	08a74b0096e1df0043246e65bfe5861af4611515
SHA256	66eb0f1ec9845025074d4e91f6a9f5a1a91fca45f9a59bbdb5d718ba84948674
SHA512	033496e0033a0c359efbf2dbf61fa9c41804c26d3271b34b1b320598d9f3e9ea0b3276715eb99f77e50c62f3561f7fb4ad195f5b37c05430b66d0b6cb0489375

memory/5112-18-0x0000000000060000-0x0000000000076000-memory.dmp

memory/5112-19-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

memory/5112-20-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

memory/5112-25-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5AA3.tmp.bat

MD5	3547ed306326dffc30b03d53b99f3966
SHA1	8de52fe225a836c5dcd19292d01dd693b79390dc
SHA256	3a318284b7978b3af09f140e6ad7a819f76b6a9eea0fceef2525463dc8d799c9
SHA512	d99a291cd4708bc4e7f6200aeff0a141935819628f38249adfa5213ef0ae562f297a702c0ebf7377fb0cc69e52ee1136cb10bec72c08e1470e7bf82aca8dfe9b

memory/1416-30-0x00007FFA4C3A3000-0x00007FFA4C3A5000-memory.dmp

memory/1416-31-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

Sample ID	240618-swwphszbjf
Target	935fa2bdf4a8b2b9d71c1e87dfda27ef.exe
SHA256	f7d1b2ecb7f47ed1311ed562bd1565f2e849d26e0c076e6ec6125d535bf17c11
Tags	asyncrat default rat

Malware Analysis Report

2024-08-06 13:12

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files