Analysis
-
max time kernel
147s -
max time network
157s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
29-06-2024 11:27
Behavioral task
behavioral1
Sample
normal.exe
Resource
win10-20240611-en
Behavioral task
behavioral2
Sample
normal.exe
Resource
win10v2004-20240508-en
General
-
Target
normal.exe
-
Size
45KB
-
MD5
24de871a8fa5bc8a878ae2b76ccf7081
-
SHA1
c31b38ed40a3e89d2c156851740cf50c6b42441e
-
SHA256
659a6386bb99408c651bbadc023de111e967f887c92e66f83d38208f8eee3afc
-
SHA512
9bfad714aa138a4de3c568540ae07ea65c57f4230748d74561a18dc125de1e47bb1fa27c4fb30b1d52d554e240c48435e60d2c46989453fffa8fe1930195e859
-
SSDEEP
768:yu1a71T3EiJfWUzDydmo2qzh58SIkOPILzjb5gs3i+uROUHVnloBDZ7x:yu1a71T3xq2sNF3L3bWsS+yHVlOd7x
Malware Config
Extracted
asyncrat
0.5.8
Default
dzacwFnyvZFC
-
delay
3
-
install
true
-
install_file
update.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/K16mDJV5
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\update.exe family_asyncrat -
Executes dropped EXE 1 IoCs
Processes:
update.exepid process 3256 update.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
Processes:
flow ioc 1 pastebin.com 9 pastebin.com 12 pastebin.com 15 pastebin.com 17 pastebin.com 5 pastebin.com 11 pastebin.com 13 pastebin.com 14 pastebin.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 5000 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
normal.exepid process 3252 normal.exe 3252 normal.exe 3252 normal.exe 3252 normal.exe 3252 normal.exe 3252 normal.exe 3252 normal.exe 3252 normal.exe 3252 normal.exe 3252 normal.exe 3252 normal.exe 3252 normal.exe 3252 normal.exe 3252 normal.exe 3252 normal.exe 3252 normal.exe 3252 normal.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
normal.exeupdate.exedescription pid process Token: SeDebugPrivilege 3252 normal.exe Token: SeDebugPrivilege 3256 update.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
normal.execmd.execmd.exedescription pid process target process PID 3252 wrote to memory of 4152 3252 normal.exe cmd.exe PID 3252 wrote to memory of 4152 3252 normal.exe cmd.exe PID 3252 wrote to memory of 4152 3252 normal.exe cmd.exe PID 3252 wrote to memory of 3992 3252 normal.exe cmd.exe PID 3252 wrote to memory of 3992 3252 normal.exe cmd.exe PID 3252 wrote to memory of 3992 3252 normal.exe cmd.exe PID 4152 wrote to memory of 3672 4152 cmd.exe schtasks.exe PID 4152 wrote to memory of 3672 4152 cmd.exe schtasks.exe PID 4152 wrote to memory of 3672 4152 cmd.exe schtasks.exe PID 3992 wrote to memory of 5000 3992 cmd.exe timeout.exe PID 3992 wrote to memory of 5000 3992 cmd.exe timeout.exe PID 3992 wrote to memory of 5000 3992 cmd.exe timeout.exe PID 3992 wrote to memory of 3256 3992 cmd.exe update.exe PID 3992 wrote to memory of 3256 3992 cmd.exe update.exe PID 3992 wrote to memory of 3256 3992 cmd.exe update.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\normal.exe"C:\Users\Admin\AppData\Local\Temp\normal.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "update" /tr '"C:\Users\Admin\AppData\Roaming\update.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "update" /tr '"C:\Users\Admin\AppData\Roaming\update.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:3672 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8DE8.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:5000 -
C:\Users\Admin\AppData\Roaming\update.exe"C:\Users\Admin\AppData\Roaming\update.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3256
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
150B
MD5581f776a593a275596ab215cb14afc99
SHA1e492f46f74045bcd09a5c8f980e6bf5ed465fc05
SHA2568496f90e1f012ecca199015f867cfca84edae9c21e1d6a40218402e5ba28e6f9
SHA512ecd1499b73e3dd0b670fc90c388d9eb9d9729fc6f6710ca94bf4c1042b169df11c2fe33432fdfd4cdb2597ad982f85350ef7516edd272dd2bbb4fa22f305cbab
-
Filesize
45KB
MD524de871a8fa5bc8a878ae2b76ccf7081
SHA1c31b38ed40a3e89d2c156851740cf50c6b42441e
SHA256659a6386bb99408c651bbadc023de111e967f887c92e66f83d38208f8eee3afc
SHA5129bfad714aa138a4de3c568540ae07ea65c57f4230748d74561a18dc125de1e47bb1fa27c4fb30b1d52d554e240c48435e60d2c46989453fffa8fe1930195e859