Analysis
-
max time kernel
136s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 01:38
Behavioral task
behavioral1
Sample
9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe
Resource
win7-20240611-en
General
-
Target
9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe
-
Size
47KB
-
MD5
6d13d147a209e3be044035f0c03b7bde
-
SHA1
1eb5fb487ea7742ff1766ca5bf1b7191cfcf6283
-
SHA256
9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548
-
SHA512
a159d09265fa833afddce5fe7fab6d4be0fc37fd4c2e0d1a15851427764ad3c068249ba28d000a076209d017cb65e4320752ac7a3a0314239d836f1e15ae39a9
-
SSDEEP
768:IuyxNTAoZjRWUJd9bmo2qL2TJ4+3Qk8sna9lzPIaj9vtqb5HTKsvWy0oKCnX5Eev:IuyxNTAGL2Mk839lcaj9vIbJWsZoWFnt
Malware Config
Extracted
asyncrat
0.5.8
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
94.232.249.111:6606
94.232.249.111:7707
94.232.249.111:8808
o6tEeoRxJb0n
-
delay
3
-
install
true
-
install_file
svchost.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\svchost.exe family_asyncrat -
Detects file containing reversed ASEP Autorun registry keys 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4352-1-0x00000000003E0000-0x00000000003F2000-memory.dmp INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse C:\Users\Admin\AppData\Roaming\svchost.exe INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1240 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4540 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exepid process 4352 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4352 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4352 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4352 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4352 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4352 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4352 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4352 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4352 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4352 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4352 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4352 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4352 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4352 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4352 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4352 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4352 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4352 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4352 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4352 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4352 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4352 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe 4352 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exesvchost.exedescription pid process Token: SeDebugPrivilege 4352 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe Token: SeDebugPrivilege 1240 svchost.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.execmd.execmd.exedescription pid process target process PID 4352 wrote to memory of 1232 4352 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe cmd.exe PID 4352 wrote to memory of 1232 4352 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe cmd.exe PID 4352 wrote to memory of 1232 4352 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe cmd.exe PID 4352 wrote to memory of 4284 4352 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe cmd.exe PID 4352 wrote to memory of 4284 4352 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe cmd.exe PID 4352 wrote to memory of 4284 4352 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe cmd.exe PID 4284 wrote to memory of 4540 4284 cmd.exe timeout.exe PID 4284 wrote to memory of 4540 4284 cmd.exe timeout.exe PID 4284 wrote to memory of 4540 4284 cmd.exe timeout.exe PID 1232 wrote to memory of 4344 1232 cmd.exe schtasks.exe PID 1232 wrote to memory of 4344 1232 cmd.exe schtasks.exe PID 1232 wrote to memory of 4344 1232 cmd.exe schtasks.exe PID 4284 wrote to memory of 1240 4284 cmd.exe svchost.exe PID 4284 wrote to memory of 1240 4284 cmd.exe svchost.exe PID 4284 wrote to memory of 1240 4284 cmd.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe"C:\Users\Admin\AppData\Local\Temp\9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:4344 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4CA9.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:4540 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1240
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151B
MD5b6290a166a35093925f84a9f483b5fc9
SHA1a220267a4a2f584ae31b63ad46afd432688be9df
SHA2564285b3660aab3e83bdfc2b85d8430f331345de44568ac9771328d4e43b0f0056
SHA51223d896b61304ecd81cbd1321c6834830894af019cf39b06c360369a5e2d6831abb8d1df0f863810fabcff8f3b0ca1c71805a5ecd28e43008a464b241c635e340
-
Filesize
47KB
MD56d13d147a209e3be044035f0c03b7bde
SHA11eb5fb487ea7742ff1766ca5bf1b7191cfcf6283
SHA2569c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548
SHA512a159d09265fa833afddce5fe7fab6d4be0fc37fd4c2e0d1a15851427764ad3c068249ba28d000a076209d017cb65e4320752ac7a3a0314239d836f1e15ae39a9