Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
20-06-2024 18:40
General
-
Target
Dllhost.exe
-
Size
47KB
-
MD5
87bc62c9412b158944dcd660b65c1fc9
-
SHA1
bf2541d0537f58440738c9b6a8f43b3da95588cc
-
SHA256
b324d1b19e6c6eff0efb46fbee13d56a71ecdf1f3891a30f3435ba671adf07f0
-
SHA512
9d6b2c0b8e1768307b4a7f5ca4b6b6f5720b1882271ba666ff1e24b8560b77c47b478122abec5b6c660eb7acb74ec46818dc2ba373fdad999b1623e170ee82fd
-
SSDEEP
768:AuwpFTAY3IQWUe9jqmo2qL8w92alD/NOaPIEbc8ZY40bNWVXgfOpcob01BDZjx:AuwpFTA4/2OtlrNOjEIwYzbN6XgWidbH
Malware Config
Extracted
asyncrat
0.5.8
Default
4.tcp.eu.ngrok:17215
KUvjRMJgonFa
-
delay
3
-
install
true
-
install_file
dllhost.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\dllhost.exe family_asyncrat -
Executes dropped EXE 1 IoCs
Processes:
dllhost.exepid process 976 dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2112 timeout.exe -
Modifies registry class 1 IoCs
Processes:
MiniSearchHost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
Dllhost.exepid process 2436 Dllhost.exe 2436 Dllhost.exe 2436 Dllhost.exe 2436 Dllhost.exe 2436 Dllhost.exe 2436 Dllhost.exe 2436 Dllhost.exe 2436 Dllhost.exe 2436 Dllhost.exe 2436 Dllhost.exe 2436 Dllhost.exe 2436 Dllhost.exe 2436 Dllhost.exe 2436 Dllhost.exe 2436 Dllhost.exe 2436 Dllhost.exe 2436 Dllhost.exe 2436 Dllhost.exe 2436 Dllhost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Dllhost.exedllhost.exedescription pid process Token: SeDebugPrivilege 2436 Dllhost.exe Token: SeDebugPrivilege 976 dllhost.exe Token: SeDebugPrivilege 976 dllhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MiniSearchHost.exepid process 3164 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Dllhost.execmd.execmd.exedescription pid process target process PID 2436 wrote to memory of 3900 2436 Dllhost.exe cmd.exe PID 2436 wrote to memory of 3900 2436 Dllhost.exe cmd.exe PID 2436 wrote to memory of 3900 2436 Dllhost.exe cmd.exe PID 2436 wrote to memory of 1592 2436 Dllhost.exe cmd.exe PID 2436 wrote to memory of 1592 2436 Dllhost.exe cmd.exe PID 2436 wrote to memory of 1592 2436 Dllhost.exe cmd.exe PID 1592 wrote to memory of 2112 1592 cmd.exe timeout.exe PID 1592 wrote to memory of 2112 1592 cmd.exe timeout.exe PID 1592 wrote to memory of 2112 1592 cmd.exe timeout.exe PID 3900 wrote to memory of 1940 3900 cmd.exe schtasks.exe PID 3900 wrote to memory of 1940 3900 cmd.exe schtasks.exe PID 3900 wrote to memory of 1940 3900 cmd.exe schtasks.exe PID 1592 wrote to memory of 976 1592 cmd.exe dllhost.exe PID 1592 wrote to memory of 976 1592 cmd.exe dllhost.exe PID 1592 wrote to memory of 976 1592 cmd.exe dllhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dllhost.exe"C:\Users\Admin\AppData\Local\Temp\Dllhost.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "dllhost" /tr '"C:\Users\Admin\AppData\Roaming\dllhost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "dllhost" /tr '"C:\Users\Admin\AppData\Roaming\dllhost.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8B48.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\dllhost.exe"C:\Users\Admin\AppData\Roaming\dllhost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dllhost.exe.logFilesize
614B
MD5fece27917067365b631bc648c66fe066
SHA1f12c84b1c2b1296091ee06e8654c7065d22cbb44
SHA25693e03593374ce40bc5d4c57832ebe96d3a6a532766eb6385f568a0383b426d10
SHA5129b502a6d46b82ccc2c8aff650de664299f0131a82480eb9cec701546e9cd7f1647c0665014035c19da80a6cab267cf896645af827ecdd95287a70994c1ecb662
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.datFilesize
10KB
MD59a7af7f1f08f7de9da3ba647286ee5a6
SHA1d7a23961ba5f8c4242a03f20686ff516c2ae432c
SHA256dddc3d322b46ec53927c26326a4f4d573dec131fbe668450f984c91c3104a08b
SHA51264b0d94e68aa2d0ee9d02f170de6989f5255c5c57d05dffbf4dbbe012dae43a6f4dbd59c6a85fd2621fb84ae7f4cdf486a089b90e3e6c4fce1b152ba5aa6ba58
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.datFilesize
10KB
MD535745802ec2865acb4c60e651e5a8620
SHA1f10c746a71c2741790aa3f5160ea7d9be1a1920a
SHA256ef386e977e9fcfc811f2710d0d630e23e2278cf9811770da0c2f10f3965b7a63
SHA5120031f739cafa1089dc655a3509bc215fc900c20734507a1b0b69f1ad1567fb2fe4af725360cf952a4689e89973bbd59a53ea6ff8bd6c4c67b9e732f66f14a42f
-
C:\Users\Admin\AppData\Local\Temp\tmp8B48.tmp.batFilesize
151B
MD58d2a88f6de9fdca789c4843f2bd1aa99
SHA19274d676172c76fad9ffe1720574acc7309275f2
SHA256c8e7887b91d832fc0aeed742cdb2e336b05d9a43f86e411d77e5e80ceaaf4f6a
SHA512a6e6f2ad2e63d3636d22deaf87ff16c1e113358a7007bb72b39c82d7ae5cd44bba7fa0c44e024e8d1f439151e371172bad3c87eb920724d9b7542d3e54e442a8
-
C:\Users\Admin\AppData\Roaming\dllhost.exeFilesize
47KB
MD587bc62c9412b158944dcd660b65c1fc9
SHA1bf2541d0537f58440738c9b6a8f43b3da95588cc
SHA256b324d1b19e6c6eff0efb46fbee13d56a71ecdf1f3891a30f3435ba671adf07f0
SHA5129d6b2c0b8e1768307b4a7f5ca4b6b6f5720b1882271ba666ff1e24b8560b77c47b478122abec5b6c660eb7acb74ec46818dc2ba373fdad999b1623e170ee82fd
-
memory/976-15-0x0000000075140000-0x00000000758F1000-memory.dmpFilesize
7.7MB
-
memory/976-36-0x0000000075140000-0x00000000758F1000-memory.dmpFilesize
7.7MB
-
memory/2436-9-0x00000000751F0000-0x00000000759A1000-memory.dmpFilesize
7.7MB
-
memory/2436-4-0x0000000005780000-0x000000000581C000-memory.dmpFilesize
624KB
-
memory/2436-3-0x00000000052E0000-0x0000000005346000-memory.dmpFilesize
408KB
-
memory/2436-0-0x00000000751FE000-0x00000000751FF000-memory.dmpFilesize
4KB
-
memory/2436-2-0x00000000751F0000-0x00000000759A1000-memory.dmpFilesize
7.7MB
-
memory/2436-1-0x0000000000880000-0x0000000000892000-memory.dmpFilesize
72KB