Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-06-2024 20:37

General

  • Target

    2cb3ccdd4a695657e2a4a73147070f2c724d3ec1e9b1febddc4774643eeaa044.exe

  • Size

    47KB

  • MD5

    c6f6dc7bba217c28483bf2d105cbfad2

  • SHA1

    e09f5fb55ee7c3709c310d0882437ccc95d14acf

  • SHA256

    2cb3ccdd4a695657e2a4a73147070f2c724d3ec1e9b1febddc4774643eeaa044

  • SHA512

    60d7cc4f0a9538b677a7ee71553ce0ea95d0225e68d60ea36ed931a3e6f6200a0b1ff5e77e1b9b488e1879b5d843f82a3893acf451977702dd154e649049c2a3

  • SSDEEP

    768:4u1a71T3EiJfWUzDydmo2qz/0KuKbYWiDOQtPI9aygOB0KK60bNEyklQR/MVG4D7:4u1a71T3xq2+0KADXK9aC0KKlbNEXQR2

Score
10/10

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

Mutex

Y27AkfNWf4he

Attributes
  • delay

    3

  • install

    true

  • install_file

    Solara.exe

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/UpAYSpm6

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Async RAT payload 1 IoCs
  • Detects file containing reversed ASEP Autorun registry keys 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2cb3ccdd4a695657e2a4a73147070f2c724d3ec1e9b1febddc4774643eeaa044.exe
    "C:\Users\Admin\AppData\Local\Temp\2cb3ccdd4a695657e2a4a73147070f2c724d3ec1e9b1febddc4774643eeaa044.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1116
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Solara" /tr '"C:\Users\Admin\AppData\Roaming\Solara.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2112
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "Solara" /tr '"C:\Users\Admin\AppData\Roaming\Solara.exe"'
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1768
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp565D.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2304
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:5028
      • C:\Users\Admin\AppData\Roaming\Solara.exe
        "C:\Users\Admin\AppData\Roaming\Solara.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3244

Network

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Command and Control

Web Service

1
T1102

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp565D.tmp.bat
    Filesize

    150B

    MD5

    3bffe5f5fbf25e56e206a590a67cddbf

    SHA1

    ec7f2f1805f27ec6d956bbb4da5785a934243e8c

    SHA256

    fe1c27a4ea41fee1671ec529f92488e19a6d36432216ec18d1161ffcaeea2977

    SHA512

    81ee7ad8fa62989ecb4deb7cc437a0df1cb57407c24cb3788a672ea7ad2a1a005aa9836ac3f10830bd3f61cd203c5f50dd05f62bd949c754615801aba9cc1f2c

  • C:\Users\Admin\AppData\Roaming\Solara.exe
    Filesize

    47KB

    MD5

    c6f6dc7bba217c28483bf2d105cbfad2

    SHA1

    e09f5fb55ee7c3709c310d0882437ccc95d14acf

    SHA256

    2cb3ccdd4a695657e2a4a73147070f2c724d3ec1e9b1febddc4774643eeaa044

    SHA512

    60d7cc4f0a9538b677a7ee71553ce0ea95d0225e68d60ea36ed931a3e6f6200a0b1ff5e77e1b9b488e1879b5d843f82a3893acf451977702dd154e649049c2a3

  • memory/1116-0-0x00000000750AE000-0x00000000750AF000-memory.dmp
    Filesize

    4KB

  • memory/1116-1-0x0000000000BC0000-0x0000000000BD2000-memory.dmp
    Filesize

    72KB

  • memory/1116-2-0x00000000750A0000-0x0000000075850000-memory.dmp
    Filesize

    7.7MB

  • memory/1116-3-0x0000000005410000-0x0000000005476000-memory.dmp
    Filesize

    408KB

  • memory/1116-4-0x00000000058D0000-0x000000000596C000-memory.dmp
    Filesize

    624KB

  • memory/1116-10-0x00000000750A0000-0x0000000075850000-memory.dmp
    Filesize

    7.7MB

  • memory/3244-14-0x00000000750A0000-0x0000000075850000-memory.dmp
    Filesize

    7.7MB

  • memory/3244-15-0x00000000750A0000-0x0000000075850000-memory.dmp
    Filesize

    7.7MB