Analysis Overview
SHA256
124174c711a4ccf9cb60a6840d6973f7fd87356e88c434b7b30498b3bb91b3fc
Threat Level: Known bad
The file 935fa2bdf4a8b2b9d71c1e87dfda27ef.bin was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Async RAT payload
Checks computer location settings
Executes dropped EXE
Enumerates physical storage devices
Unsigned PE
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-20 03:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 03:40
Reported
2024-06-20 03:42
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f7d1b2ecb7f47ed1311ed562bd1565f2e849d26e0c076e6ec6125d535bf17c11.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Infected.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Infected.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\lulz.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f7d1b2ecb7f47ed1311ed562bd1565f2e849d26e0c076e6ec6125d535bf17c11.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Infected.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Infected.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\lulz.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\lulz.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\f7d1b2ecb7f47ed1311ed562bd1565f2e849d26e0c076e6ec6125d535bf17c11.exe
"C:\Users\Admin\AppData\Local\Temp\f7d1b2ecb7f47ed1311ed562bd1565f2e849d26e0c076e6ec6125d535bf17c11.exe"
C:\Users\Admin\AppData\Local\Temp\Infected.exe
"C:\Users\Admin\AppData\Local\Temp\Infected.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "lulz" /tr '"C:\Users\Admin\AppData\Roaming\lulz.exe"' & exit
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4EDB.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "lulz" /tr '"C:\Users\Admin\AppData\Roaming\lulz.exe"'
C:\Users\Admin\AppData\Roaming\lulz.exe
"C:\Users\Admin\AppData\Roaming\lulz.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| N/A | 127.0.0.1:7771 | tcp | |
| US | 8.8.8.8:53 | doffuovouvvufoz97964d-39377.portmap.host | udp |
| US | 8.8.8.8:53 | doffuovouvvufoz97964d-39377.portmap.host | udp |
| N/A | 127.0.0.1:7771 | tcp | |
| US | 8.8.8.8:53 | doffuovouvvufoz97964d-39377.portmap.host | udp |
| N/A | 127.0.0.1:7771 | tcp | |
| US | 8.8.8.8:53 | doffuovouvvufoz97964d-39377.portmap.host | udp |
| US | 8.8.8.8:53 | doffuovouvvufoz97964d-39377.portmap.host | udp |
| N/A | 127.0.0.1:7771 | tcp | |
| US | 8.8.8.8:53 | doffuovouvvufoz97964d-39377.portmap.host | udp |
| US | 8.8.8.8:53 | doffuovouvvufoz97964d-39377.portmap.host | udp |
Files
memory/1532-0-0x00007FFD4F1B3000-0x00007FFD4F1B5000-memory.dmp
memory/1532-1-0x000001D71A8B0000-0x000001D71A9D0000-memory.dmp
memory/1532-2-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp
memory/1532-3-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp
memory/1532-4-0x000001D737E70000-0x000001D737F3C000-memory.dmp
memory/1532-6-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp
memory/1532-7-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Infected.exe
| MD5 | b79066a5172f1508c1b9a8d02e9edd29 |
| SHA1 | 08a74b0096e1df0043246e65bfe5861af4611515 |
| SHA256 | 66eb0f1ec9845025074d4e91f6a9f5a1a91fca45f9a59bbdb5d718ba84948674 |
| SHA512 | 033496e0033a0c359efbf2dbf61fa9c41804c26d3271b34b1b320598d9f3e9ea0b3276715eb99f77e50c62f3561f7fb4ad195f5b37c05430b66d0b6cb0489375 |
memory/3916-18-0x0000000000040000-0x0000000000056000-memory.dmp
memory/3916-19-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp
memory/3916-20-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp
memory/3916-25-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp4EDB.tmp.bat
| MD5 | 0c8275402e3db7547a34551b85ebdafe |
| SHA1 | 14fc6ceab9c37e32211804d49b492cbecd9b4b69 |
| SHA256 | 216ca709f1c43b3a0dc1392af0d9300070e02d0546a5e99d9141abbe8bc050c3 |
| SHA512 | d423e61f270474e158cf184fa934f79c8d310afb68d52bf37d2ca1dc8975eea0eaed63f275e68f15bcede5f4a95cb84377ccd260df47262278fbc83608e1caa0 |
memory/1532-30-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 03:40
Reported
2024-06-20 03:42
Platform
win7-20240611-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f7d1b2ecb7f47ed1311ed562bd1565f2e849d26e0c076e6ec6125d535bf17c11.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2440 wrote to memory of 2724 | N/A | C:\Users\Admin\AppData\Local\Temp\f7d1b2ecb7f47ed1311ed562bd1565f2e849d26e0c076e6ec6125d535bf17c11.exe | C:\Windows\system32\WerFault.exe |
| PID 2440 wrote to memory of 2724 | N/A | C:\Users\Admin\AppData\Local\Temp\f7d1b2ecb7f47ed1311ed562bd1565f2e849d26e0c076e6ec6125d535bf17c11.exe | C:\Windows\system32\WerFault.exe |
| PID 2440 wrote to memory of 2724 | N/A | C:\Users\Admin\AppData\Local\Temp\f7d1b2ecb7f47ed1311ed562bd1565f2e849d26e0c076e6ec6125d535bf17c11.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f7d1b2ecb7f47ed1311ed562bd1565f2e849d26e0c076e6ec6125d535bf17c11.exe
"C:\Users\Admin\AppData\Local\Temp\f7d1b2ecb7f47ed1311ed562bd1565f2e849d26e0c076e6ec6125d535bf17c11.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2440 -s 776
Network
Files
memory/2440-0-0x000007FEF50F3000-0x000007FEF50F4000-memory.dmp
memory/2440-1-0x0000000000AA0000-0x0000000000BC0000-memory.dmp
memory/2440-2-0x000007FEF50F0000-0x000007FEF5ADC000-memory.dmp
memory/2440-3-0x000007FEF50F0000-0x000007FEF5ADC000-memory.dmp
memory/2440-4-0x000000001BCB0000-0x000000001BD7C000-memory.dmp
memory/2440-5-0x000007FEF50F0000-0x000007FEF5ADC000-memory.dmp
memory/2440-6-0x000007FEF50F3000-0x000007FEF50F4000-memory.dmp