Malware Analysis Report

2024-09-22 06:36

Sample ID 240620-d8c1ls1ejn
Target 935fa2bdf4a8b2b9d71c1e87dfda27ef.bin
SHA256 124174c711a4ccf9cb60a6840d6973f7fd87356e88c434b7b30498b3bb91b3fc
Tags
asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

124174c711a4ccf9cb60a6840d6973f7fd87356e88c434b7b30498b3bb91b3fc

Threat Level: Known bad

The file 935fa2bdf4a8b2b9d71c1e87dfda27ef.bin was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat

AsyncRat

Async RAT payload

Checks computer location settings

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-20 03:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 03:40

Reported

2024-06-20 03:42

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f7d1b2ecb7f47ed1311ed562bd1565f2e849d26e0c076e6ec6125d535bf17c11.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f7d1b2ecb7f47ed1311ed562bd1565f2e849d26e0c076e6ec6125d535bf17c11.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\lulz.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7d1b2ecb7f47ed1311ed562bd1565f2e849d26e0c076e6ec6125d535bf17c11.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\lulz.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\lulz.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f7d1b2ecb7f47ed1311ed562bd1565f2e849d26e0c076e6ec6125d535bf17c11.exe

"C:\Users\Admin\AppData\Local\Temp\f7d1b2ecb7f47ed1311ed562bd1565f2e849d26e0c076e6ec6125d535bf17c11.exe"

C:\Users\Admin\AppData\Local\Temp\Infected.exe

"C:\Users\Admin\AppData\Local\Temp\Infected.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "lulz" /tr '"C:\Users\Admin\AppData\Roaming\lulz.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4EDB.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "lulz" /tr '"C:\Users\Admin\AppData\Roaming\lulz.exe"'

C:\Users\Admin\AppData\Roaming\lulz.exe

"C:\Users\Admin\AppData\Roaming\lulz.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
N/A 127.0.0.1:7771 tcp
US 8.8.8.8:53 doffuovouvvufoz97964d-39377.portmap.host udp
US 8.8.8.8:53 doffuovouvvufoz97964d-39377.portmap.host udp
N/A 127.0.0.1:7771 tcp
US 8.8.8.8:53 doffuovouvvufoz97964d-39377.portmap.host udp
N/A 127.0.0.1:7771 tcp
US 8.8.8.8:53 doffuovouvvufoz97964d-39377.portmap.host udp
US 8.8.8.8:53 doffuovouvvufoz97964d-39377.portmap.host udp
N/A 127.0.0.1:7771 tcp
US 8.8.8.8:53 doffuovouvvufoz97964d-39377.portmap.host udp
US 8.8.8.8:53 doffuovouvvufoz97964d-39377.portmap.host udp

Files

memory/1532-0-0x00007FFD4F1B3000-0x00007FFD4F1B5000-memory.dmp

memory/1532-1-0x000001D71A8B0000-0x000001D71A9D0000-memory.dmp

memory/1532-2-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp

memory/1532-3-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp

memory/1532-4-0x000001D737E70000-0x000001D737F3C000-memory.dmp

memory/1532-6-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp

memory/1532-7-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Infected.exe

MD5 b79066a5172f1508c1b9a8d02e9edd29
SHA1 08a74b0096e1df0043246e65bfe5861af4611515
SHA256 66eb0f1ec9845025074d4e91f6a9f5a1a91fca45f9a59bbdb5d718ba84948674
SHA512 033496e0033a0c359efbf2dbf61fa9c41804c26d3271b34b1b320598d9f3e9ea0b3276715eb99f77e50c62f3561f7fb4ad195f5b37c05430b66d0b6cb0489375

memory/3916-18-0x0000000000040000-0x0000000000056000-memory.dmp

memory/3916-19-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp

memory/3916-20-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp

memory/3916-25-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4EDB.tmp.bat

MD5 0c8275402e3db7547a34551b85ebdafe
SHA1 14fc6ceab9c37e32211804d49b492cbecd9b4b69
SHA256 216ca709f1c43b3a0dc1392af0d9300070e02d0546a5e99d9141abbe8bc050c3
SHA512 d423e61f270474e158cf184fa934f79c8d310afb68d52bf37d2ca1dc8975eea0eaed63f275e68f15bcede5f4a95cb84377ccd260df47262278fbc83608e1caa0

memory/1532-30-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 03:40

Reported

2024-06-20 03:42

Platform

win7-20240611-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f7d1b2ecb7f47ed1311ed562bd1565f2e849d26e0c076e6ec6125d535bf17c11.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\f7d1b2ecb7f47ed1311ed562bd1565f2e849d26e0c076e6ec6125d535bf17c11.exe

"C:\Users\Admin\AppData\Local\Temp\f7d1b2ecb7f47ed1311ed562bd1565f2e849d26e0c076e6ec6125d535bf17c11.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2440 -s 776

Network

N/A

Files

memory/2440-0-0x000007FEF50F3000-0x000007FEF50F4000-memory.dmp

memory/2440-1-0x0000000000AA0000-0x0000000000BC0000-memory.dmp

memory/2440-2-0x000007FEF50F0000-0x000007FEF5ADC000-memory.dmp

memory/2440-3-0x000007FEF50F0000-0x000007FEF5ADC000-memory.dmp

memory/2440-4-0x000000001BCB0000-0x000000001BD7C000-memory.dmp

memory/2440-5-0x000007FEF50F0000-0x000007FEF5ADC000-memory.dmp

memory/2440-6-0x000007FEF50F3000-0x000007FEF50F4000-memory.dmp