Analysis

  • max time kernel
    145s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    20-06-2024 20:37

General

  • Target

    2cb3ccdd4a695657e2a4a73147070f2c724d3ec1e9b1febddc4774643eeaa044.exe

  • Size

    47KB

  • MD5

    c6f6dc7bba217c28483bf2d105cbfad2

  • SHA1

    e09f5fb55ee7c3709c310d0882437ccc95d14acf

  • SHA256

    2cb3ccdd4a695657e2a4a73147070f2c724d3ec1e9b1febddc4774643eeaa044

  • SHA512

    60d7cc4f0a9538b677a7ee71553ce0ea95d0225e68d60ea36ed931a3e6f6200a0b1ff5e77e1b9b488e1879b5d843f82a3893acf451977702dd154e649049c2a3

  • SSDEEP

    768:4u1a71T3EiJfWUzDydmo2qz/0KuKbYWiDOQtPI9aygOB0KK60bNEyklQR/MVG4D7:4u1a71T3xq2+0KADXK9aC0KKlbNEXQR2

Score
10/10

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

Mutex

Y27AkfNWf4he

Attributes
  • delay

    3

  • install

    true

  • install_file

    Solara.exe

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/UpAYSpm6

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Async RAT payload 1 IoCs
  • Detects file containing reversed ASEP Autorun registry keys 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2cb3ccdd4a695657e2a4a73147070f2c724d3ec1e9b1febddc4774643eeaa044.exe
    "C:\Users\Admin\AppData\Local\Temp\2cb3ccdd4a695657e2a4a73147070f2c724d3ec1e9b1febddc4774643eeaa044.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Solara" /tr '"C:\Users\Admin\AppData\Roaming\Solara.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "Solara" /tr '"C:\Users\Admin\AppData\Roaming\Solara.exe"'
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2788
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1842.tmp.bat""
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2676
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:2448
      • C:\Users\Admin\AppData\Roaming\Solara.exe
        "C:\Users\Admin\AppData\Roaming\Solara.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2476

Network

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Discovery

System Information Discovery

1
T1082

Command and Control

Web Service

1
T1102

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp1842.tmp.bat
    Filesize

    150B

    MD5

    c4049b6123043720a753b82a2f3126e9

    SHA1

    6c966eafa732d26a0526e624f2e267a9676489b2

    SHA256

    beb1f9089fffb4cdd9e531009f5b30a3788a45b2b923cce98ca3aa88d477fbb5

    SHA512

    c905f6f48314721a481ea4693033a0b95d37e8b2dda3261f73bb4ea4a3f5e3156b4905e9cce4880bb72614c4c17ce4d1c2929cb4dc8d0a6282e40eafb8e4464a

  • \Users\Admin\AppData\Roaming\Solara.exe
    Filesize

    47KB

    MD5

    c6f6dc7bba217c28483bf2d105cbfad2

    SHA1

    e09f5fb55ee7c3709c310d0882437ccc95d14acf

    SHA256

    2cb3ccdd4a695657e2a4a73147070f2c724d3ec1e9b1febddc4774643eeaa044

    SHA512

    60d7cc4f0a9538b677a7ee71553ce0ea95d0225e68d60ea36ed931a3e6f6200a0b1ff5e77e1b9b488e1879b5d843f82a3893acf451977702dd154e649049c2a3

  • memory/2100-0-0x00000000745AE000-0x00000000745AF000-memory.dmp
    Filesize

    4KB

  • memory/2100-1-0x0000000000B60000-0x0000000000B72000-memory.dmp
    Filesize

    72KB

  • memory/2100-2-0x00000000745A0000-0x0000000074C8E000-memory.dmp
    Filesize

    6.9MB

  • memory/2100-11-0x00000000745A0000-0x0000000074C8E000-memory.dmp
    Filesize

    6.9MB

  • memory/2476-16-0x0000000000AA0000-0x0000000000AB2000-memory.dmp
    Filesize

    72KB