Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
28-06-2024 09:06
Behavioral task
behavioral1
Sample
9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe
Resource
win10v2004-20240508-en
General
-
Target
9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe
-
Size
47KB
-
MD5
6d13d147a209e3be044035f0c03b7bde
-
SHA1
1eb5fb487ea7742ff1766ca5bf1b7191cfcf6283
-
SHA256
9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548
-
SHA512
a159d09265fa833afddce5fe7fab6d4be0fc37fd4c2e0d1a15851427764ad3c068249ba28d000a076209d017cb65e4320752ac7a3a0314239d836f1e15ae39a9
-
SSDEEP
768:IuyxNTAoZjRWUJd9bmo2qL2TJ4+3Qk8sna9lzPIaj9vtqb5HTKsvWy0oKCnX5Eev:IuyxNTAGL2Mk839lcaj9vIbJWsZoWFnt
Malware Config
Extracted
asyncrat
0.5.8
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
94.232.249.111:6606
94.232.249.111:7707
94.232.249.111:8808
o6tEeoRxJb0n
-
delay
3
-
install
true
-
install_file
svchost.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\svchost.exe family_asyncrat -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 4636 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 548 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exepid process 2284 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 2284 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 2284 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 2284 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 2284 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 2284 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 2284 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 2284 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 2284 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 2284 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 2284 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 2284 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 2284 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 2284 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 2284 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 2284 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 2284 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 2284 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 2284 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exesvchost.exedescription pid process Token: SeDebugPrivilege 2284 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe Token: SeDebugPrivilege 4636 svchost.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.execmd.execmd.exedescription pid process target process PID 2284 wrote to memory of 4440 2284 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe cmd.exe PID 2284 wrote to memory of 4440 2284 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe cmd.exe PID 2284 wrote to memory of 4440 2284 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe cmd.exe PID 2284 wrote to memory of 2592 2284 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe cmd.exe PID 2284 wrote to memory of 2592 2284 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe cmd.exe PID 2284 wrote to memory of 2592 2284 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe cmd.exe PID 4440 wrote to memory of 3016 4440 cmd.exe schtasks.exe PID 4440 wrote to memory of 3016 4440 cmd.exe schtasks.exe PID 4440 wrote to memory of 3016 4440 cmd.exe schtasks.exe PID 2592 wrote to memory of 548 2592 cmd.exe timeout.exe PID 2592 wrote to memory of 548 2592 cmd.exe timeout.exe PID 2592 wrote to memory of 548 2592 cmd.exe timeout.exe PID 2592 wrote to memory of 4636 2592 cmd.exe svchost.exe PID 2592 wrote to memory of 4636 2592 cmd.exe svchost.exe PID 2592 wrote to memory of 4636 2592 cmd.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe"C:\Users\Admin\AppData\Local\Temp\9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:3016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6040.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:548 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4636
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151B
MD5f0fa0160cd23e9e68c0ce23a8d3476a8
SHA1107f99f0ae28d8d464a60944cf1e81522607c712
SHA25609acb5aca40d6f0bf1fd2b0dc8cb7df1c67b90a362e5219146f88f4bd8391623
SHA51224c5161633fcaf11f19ce79463fa1aba2e6212db812046ed9e36a526d26f121b286d2286c9475d45ac35b554c9e2975a17663a1759ba3521474de319023807f0
-
Filesize
47KB
MD56d13d147a209e3be044035f0c03b7bde
SHA11eb5fb487ea7742ff1766ca5bf1b7191cfcf6283
SHA2569c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548
SHA512a159d09265fa833afddce5fe7fab6d4be0fc37fd4c2e0d1a15851427764ad3c068249ba28d000a076209d017cb65e4320752ac7a3a0314239d836f1e15ae39a9