Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 11:27
Behavioral task
behavioral1
Sample
normal.exe
Resource
win10-20240611-en
Behavioral task
behavioral2
Sample
normal.exe
Resource
win10v2004-20240508-en
General
-
Target
normal.exe
-
Size
45KB
-
MD5
24de871a8fa5bc8a878ae2b76ccf7081
-
SHA1
c31b38ed40a3e89d2c156851740cf50c6b42441e
-
SHA256
659a6386bb99408c651bbadc023de111e967f887c92e66f83d38208f8eee3afc
-
SHA512
9bfad714aa138a4de3c568540ae07ea65c57f4230748d74561a18dc125de1e47bb1fa27c4fb30b1d52d554e240c48435e60d2c46989453fffa8fe1930195e859
-
SSDEEP
768:yu1a71T3EiJfWUzDydmo2qzh58SIkOPILzjb5gs3i+uROUHVnloBDZ7x:yu1a71T3xq2sNF3L3bWsS+yHVlOd7x
Malware Config
Extracted
asyncrat
0.5.8
Default
dzacwFnyvZFC
-
delay
3
-
install
true
-
install_file
update.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/K16mDJV5
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\update.exe family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
normal.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation normal.exe -
Executes dropped EXE 1 IoCs
Processes:
update.exepid process 2564 update.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
Processes:
flow ioc 8 pastebin.com 13 pastebin.com 14 pastebin.com 15 pastebin.com 16 pastebin.com 17 pastebin.com 18 pastebin.com 3 pastebin.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2136 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
normal.exepid process 4816 normal.exe 4816 normal.exe 4816 normal.exe 4816 normal.exe 4816 normal.exe 4816 normal.exe 4816 normal.exe 4816 normal.exe 4816 normal.exe 4816 normal.exe 4816 normal.exe 4816 normal.exe 4816 normal.exe 4816 normal.exe 4816 normal.exe 4816 normal.exe 4816 normal.exe 4816 normal.exe 4816 normal.exe 4816 normal.exe 4816 normal.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
normal.exeupdate.exedescription pid process Token: SeDebugPrivilege 4816 normal.exe Token: SeDebugPrivilege 2564 update.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
normal.execmd.execmd.exedescription pid process target process PID 4816 wrote to memory of 4460 4816 normal.exe cmd.exe PID 4816 wrote to memory of 4460 4816 normal.exe cmd.exe PID 4816 wrote to memory of 4460 4816 normal.exe cmd.exe PID 4816 wrote to memory of 824 4816 normal.exe cmd.exe PID 4816 wrote to memory of 824 4816 normal.exe cmd.exe PID 4816 wrote to memory of 824 4816 normal.exe cmd.exe PID 824 wrote to memory of 2136 824 cmd.exe timeout.exe PID 824 wrote to memory of 2136 824 cmd.exe timeout.exe PID 824 wrote to memory of 2136 824 cmd.exe timeout.exe PID 4460 wrote to memory of 2936 4460 cmd.exe schtasks.exe PID 4460 wrote to memory of 2936 4460 cmd.exe schtasks.exe PID 4460 wrote to memory of 2936 4460 cmd.exe schtasks.exe PID 824 wrote to memory of 2564 824 cmd.exe update.exe PID 824 wrote to memory of 2564 824 cmd.exe update.exe PID 824 wrote to memory of 2564 824 cmd.exe update.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\normal.exe"C:\Users\Admin\AppData\Local\Temp\normal.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "update" /tr '"C:\Users\Admin\AppData\Roaming\update.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "update" /tr '"C:\Users\Admin\AppData\Roaming\update.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:2936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5B7E.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2136 -
C:\Users\Admin\AppData\Roaming\update.exe"C:\Users\Admin\AppData\Roaming\update.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2564
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
150B
MD5a9e561303ad3d1403cdc10528815ae71
SHA1aa99c5af5766e1ebe8781c19f6a5b2a458569a6b
SHA2563b0fe9486fe9ba1f6df80fd06591df664393353ef190e5fd2cbb4133486e7afe
SHA512349d3ba39d71f11d5f7d2c97762457776a017fd76f14feabbfedbee5c928b041eb45cf0f2f56cecadc44c784d3608aee9a0095cce5f99353eec5f3b56871e708
-
Filesize
45KB
MD524de871a8fa5bc8a878ae2b76ccf7081
SHA1c31b38ed40a3e89d2c156851740cf50c6b42441e
SHA256659a6386bb99408c651bbadc023de111e967f887c92e66f83d38208f8eee3afc
SHA5129bfad714aa138a4de3c568540ae07ea65c57f4230748d74561a18dc125de1e47bb1fa27c4fb30b1d52d554e240c48435e60d2c46989453fffa8fe1930195e859