Analysis
-
max time kernel
31s -
max time network
32s -
platform
windows10-1703_x64 -
resource
win10-20240611-en -
resource tags
arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system -
submitted
20-06-2024 19:55
Static task
static1
General
-
Target
XBinderOutput.exe
-
Size
172KB
-
MD5
511d2c958154e9a4534372bda7f61751
-
SHA1
cedb2dcdfe2d4534d6eb2e66496e0873388e0678
-
SHA256
83c05ceb7510d099c94b5553ff5e5fc17eb8c315699457ce9ae8a697bf712798
-
SHA512
fbf05cd528e26424dfb53659ac07f7d2b8d55aa6a153b625d0f50953fef613d6d11c397a836f916a915711fbe520a4d43b6d9918cc8b04373cacb482c4e37d57
-
SSDEEP
3072:vmCzFoOQIvXCs4fNGV881cclxWRQlKCYCtiVs5kwzxze2vb3fYH2JN:XFocCs4VMGcKOxYPiqE5vjfa
Malware Config
Extracted
asyncrat
0.5.8
Default
LmnYzRoga2CL
-
delay
3
-
install
false
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/BSSw6HT3
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4204-21-0x0000000004F50000-0x0000000004F62000-memory.dmp family_asyncrat -
Executes dropped EXE 2 IoCs
Processes:
AsyncFull.exepops.exepid process 4204 AsyncFull.exe 2312 pops.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
pops.exepid process 2312 pops.exe 2312 pops.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
pops.exeAsyncFull.exedescription pid process Token: SeDebugPrivilege 2312 pops.exe Token: SeDebugPrivilege 4204 AsyncFull.exe Token: SeDebugPrivilege 4204 AsyncFull.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
XBinderOutput.exedescription pid process target process PID 4256 wrote to memory of 4204 4256 XBinderOutput.exe AsyncFull.exe PID 4256 wrote to memory of 4204 4256 XBinderOutput.exe AsyncFull.exe PID 4256 wrote to memory of 4204 4256 XBinderOutput.exe AsyncFull.exe PID 4256 wrote to memory of 2312 4256 XBinderOutput.exe pops.exe PID 4256 wrote to memory of 2312 4256 XBinderOutput.exe pops.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AsyncFull.exe"C:\Users\Admin\AppData\Local\Temp\AsyncFull.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\pops.exe"C:\Users\Admin\AppData\Local\Temp\pops.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AsyncFull.exeFilesize
82KB
MD5fde34a227baab4069f459cac32e6109b
SHA1b1f4e52cd57853e3c951d1f01699f793706ca899
SHA256a5913acf5857d31f22fbbdc29a7810de97d70fb69009c4f844ff4a6af362f047
SHA512b098d6dbe661128999788befb01322d845dbe52253e318db3d04a4f41ab95c2083e7698a97282b164db7c31dbb82f43f36aa4c86550120ba8b57703898679100
-
C:\Users\Admin\AppData\Local\Temp\pops.exeFilesize
122KB
MD59eb31428dfab7ceb8b52c96e7480b0c4
SHA105a7e7bc4c182a3714addc8a6746b662dd500e82
SHA256f2da0525ae7d061b232ace45eea6451d26c462f207ceedd171c6fd5b8ff74fb4
SHA5129645c3f07de4b8899c3069078687b2370c9116c50ec9048f14ece1f8a507e7df3ce31e9dbe28fb5d01a4ea91b7d564eb0bc463d92cd9b167ed171a1b9b59670e
-
memory/2312-15-0x00007FFF44690000-0x00007FFF4507C000-memory.dmpFilesize
9.9MB
-
memory/2312-23-0x00007FFF44690000-0x00007FFF4507C000-memory.dmpFilesize
9.9MB
-
memory/2312-17-0x0000000001680000-0x000000000168C000-memory.dmpFilesize
48KB
-
memory/2312-13-0x0000000000D40000-0x0000000000D66000-memory.dmpFilesize
152KB
-
memory/4204-19-0x00000000053E0000-0x00000000053FE000-memory.dmpFilesize
120KB
-
memory/4204-27-0x00000000062D0000-0x000000000636C000-memory.dmpFilesize
624KB
-
memory/4204-16-0x00000000734DE000-0x00000000734DF000-memory.dmpFilesize
4KB
-
memory/4204-18-0x0000000000C30000-0x0000000000C4A000-memory.dmpFilesize
104KB
-
memory/4204-31-0x00000000734D0000-0x0000000073BBE000-memory.dmpFilesize
6.9MB
-
memory/4204-20-0x0000000002DA0000-0x0000000002DA6000-memory.dmpFilesize
24KB
-
memory/4204-21-0x0000000004F50000-0x0000000004F62000-memory.dmpFilesize
72KB
-
memory/4204-22-0x00000000734D0000-0x0000000073BBE000-memory.dmpFilesize
6.9MB
-
memory/4204-30-0x00000000734DE000-0x00000000734DF000-memory.dmpFilesize
4KB
-
memory/4204-29-0x0000000006370000-0x00000000063D6000-memory.dmpFilesize
408KB
-
memory/4204-28-0x0000000008160000-0x000000000865E000-memory.dmpFilesize
5.0MB
-
memory/4256-14-0x00007FFF44690000-0x00007FFF4507C000-memory.dmpFilesize
9.9MB
-
memory/4256-24-0x00007FFF44690000-0x00007FFF4507C000-memory.dmpFilesize
9.9MB
-
memory/4256-1-0x00000000003F0000-0x0000000000422000-memory.dmpFilesize
200KB
-
memory/4256-0-0x00007FFF44693000-0x00007FFF44694000-memory.dmpFilesize
4KB