Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-06-2024 22:54
Behavioral task
behavioral1
Sample
44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe
Resource
win7-20240221-en
General
-
Target
44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe
-
Size
47KB
-
MD5
4a56c6e517888a3524999e18e6d7740b
-
SHA1
3781d9472264ca9af471cdc80ffc87c34134c112
-
SHA256
44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706
-
SHA512
0b7c6c0f82b19b20632d8a8d8c93a772f175acc0bf1c9ff1a57f5e731f739806b98663f824a7ec07843cad2fe69376bba57967587a86e5dfe4dc890df334ba4e
-
SSDEEP
768:Euzkx3FTkYwt9y4gWUOlKnjamo2q8ayby6FXbWPI8rQ9Hyfw+0bF3HFZBzUccTUW:EuS3FTHHe2Gy+6Z78rQ9HGWbF3T9U5+Q
Malware Config
Extracted
asyncrat
0.5.8
Default
0UfuvIZfaBv8
-
delay
3
-
install
true
-
install_file
api.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/aDAYnLv4
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\api.exe family_asyncrat -
Executes dropped EXE 1 IoCs
Processes:
api.exepid process 2784 api.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 860 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 28 IoCs
Processes:
flow ioc 6 pastebin.com 17 pastebin.com 19 pastebin.com 23 pastebin.com 9 pastebin.com 10 pastebin.com 22 pastebin.com 28 pastebin.com 5 pastebin.com 14 pastebin.com 15 pastebin.com 18 pastebin.com 20 pastebin.com 24 pastebin.com 26 pastebin.com 29 pastebin.com 30 pastebin.com 4 pastebin.com 7 pastebin.com 21 pastebin.com 25 pastebin.com 8 pastebin.com 13 pastebin.com 16 pastebin.com 31 pastebin.com 11 pastebin.com 12 pastebin.com 27 pastebin.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2660 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exepid process 2732 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe 2732 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exeapi.exedescription pid process Token: SeDebugPrivilege 2732 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe Token: SeDebugPrivilege 2784 api.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.execmd.execmd.exedescription pid process target process PID 2732 wrote to memory of 2908 2732 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe cmd.exe PID 2732 wrote to memory of 2908 2732 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe cmd.exe PID 2732 wrote to memory of 2908 2732 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe cmd.exe PID 2732 wrote to memory of 2908 2732 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe cmd.exe PID 2732 wrote to memory of 860 2732 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe cmd.exe PID 2732 wrote to memory of 860 2732 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe cmd.exe PID 2732 wrote to memory of 860 2732 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe cmd.exe PID 2732 wrote to memory of 860 2732 44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe cmd.exe PID 2908 wrote to memory of 2656 2908 cmd.exe schtasks.exe PID 2908 wrote to memory of 2656 2908 cmd.exe schtasks.exe PID 2908 wrote to memory of 2656 2908 cmd.exe schtasks.exe PID 2908 wrote to memory of 2656 2908 cmd.exe schtasks.exe PID 860 wrote to memory of 2660 860 cmd.exe timeout.exe PID 860 wrote to memory of 2660 860 cmd.exe timeout.exe PID 860 wrote to memory of 2660 860 cmd.exe timeout.exe PID 860 wrote to memory of 2660 860 cmd.exe timeout.exe PID 860 wrote to memory of 2784 860 cmd.exe api.exe PID 860 wrote to memory of 2784 860 cmd.exe api.exe PID 860 wrote to memory of 2784 860 cmd.exe api.exe PID 860 wrote to memory of 2784 860 cmd.exe api.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe"C:\Users\Admin\AppData\Local\Temp\44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "api" /tr '"C:\Users\Admin\AppData\Roaming\api.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "api" /tr '"C:\Users\Admin\AppData\Roaming\api.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:2656 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1FFF.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2660 -
C:\Users\Admin\AppData\Roaming\api.exe"C:\Users\Admin\AppData\Roaming\api.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2784
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147B
MD52629180e481445b3a88a00391a7fcc66
SHA1e539dbad5e285dcf69ae22ea18a407580596d3db
SHA256fbd1687c1c0ef67f9867ff07eaea4db113804c9131d27261afe79c2d9fe6ff8e
SHA512370ad4c5cb846b1fff8836be9ffddea3f74df6b31008871bdfe1565c5878157508abd25e1f7bc492298b32d9f576c358102599934edfd3f21e4c86711a96b403
-
Filesize
47KB
MD54a56c6e517888a3524999e18e6d7740b
SHA13781d9472264ca9af471cdc80ffc87c34134c112
SHA25644ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706
SHA5120b7c6c0f82b19b20632d8a8d8c93a772f175acc0bf1c9ff1a57f5e731f739806b98663f824a7ec07843cad2fe69376bba57967587a86e5dfe4dc890df334ba4e