Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 09:06
Behavioral task
behavioral1
Sample
9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe
Resource
win10v2004-20240508-en
General
-
Target
9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe
-
Size
47KB
-
MD5
6d13d147a209e3be044035f0c03b7bde
-
SHA1
1eb5fb487ea7742ff1766ca5bf1b7191cfcf6283
-
SHA256
9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548
-
SHA512
a159d09265fa833afddce5fe7fab6d4be0fc37fd4c2e0d1a15851427764ad3c068249ba28d000a076209d017cb65e4320752ac7a3a0314239d836f1e15ae39a9
-
SSDEEP
768:IuyxNTAoZjRWUJd9bmo2qL2TJ4+3Qk8sna9lzPIaj9vtqb5HTKsvWy0oKCnX5Eev:IuyxNTAGL2Mk839lcaj9vIbJWsZoWFnt
Malware Config
Extracted
asyncrat
0.5.8
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
94.232.249.111:6606
94.232.249.111:7707
94.232.249.111:8808
o6tEeoRxJb0n
-
delay
3
-
install
true
-
install_file
svchost.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\svchost.exe family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1048 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1804 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exepid process 4496 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4496 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4496 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4496 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4496 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4496 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4496 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4496 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4496 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4496 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4496 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4496 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4496 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4496 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4496 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4496 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4496 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4496 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4496 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4496 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4496 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4496 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4496 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exesvchost.exedescription pid process Token: SeDebugPrivilege 4496 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe Token: SeDebugPrivilege 1048 svchost.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.execmd.execmd.exedescription pid process target process PID 4496 wrote to memory of 4136 4496 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe cmd.exe PID 4496 wrote to memory of 4136 4496 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe cmd.exe PID 4496 wrote to memory of 4136 4496 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe cmd.exe PID 4496 wrote to memory of 2516 4496 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe cmd.exe PID 4496 wrote to memory of 2516 4496 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe cmd.exe PID 4496 wrote to memory of 2516 4496 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe cmd.exe PID 2516 wrote to memory of 1804 2516 cmd.exe timeout.exe PID 2516 wrote to memory of 1804 2516 cmd.exe timeout.exe PID 2516 wrote to memory of 1804 2516 cmd.exe timeout.exe PID 4136 wrote to memory of 1728 4136 cmd.exe schtasks.exe PID 4136 wrote to memory of 1728 4136 cmd.exe schtasks.exe PID 4136 wrote to memory of 1728 4136 cmd.exe schtasks.exe PID 2516 wrote to memory of 1048 2516 cmd.exe svchost.exe PID 2516 wrote to memory of 1048 2516 cmd.exe svchost.exe PID 2516 wrote to memory of 1048 2516 cmd.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe"C:\Users\Admin\AppData\Local\Temp\9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:1728 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp757E.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:1804 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1048
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151B
MD57efe3cb10a60074bcb527a7150815576
SHA18ae3adc53b810aa276cafdeff4fccb94c949ac8d
SHA2561062983cc5b2e9cca789db5a38a45f2851061e69cc923b634976d257fee173ad
SHA512772c9ae6f8d3ba56148cae6ce7068b606b6583b7b4159a319cb14b2333d09f7cce6762643021d5a3fd57ac30295f71c1a1be9e033b81bd243ddb8a967d5f9235
-
Filesize
47KB
MD56d13d147a209e3be044035f0c03b7bde
SHA11eb5fb487ea7742ff1766ca5bf1b7191cfcf6283
SHA2569c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548
SHA512a159d09265fa833afddce5fe7fab6d4be0fc37fd4c2e0d1a15851427764ad3c068249ba28d000a076209d017cb65e4320752ac7a3a0314239d836f1e15ae39a9