Analysis
-
max time kernel
120s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
29-06-2024 16:16
Static task
static1
Behavioral task
behavioral1
Sample
DB6BF30FD61D330A5466459124FD4F21.exe
Resource
win7-20240508-en
General
-
Target
DB6BF30FD61D330A5466459124FD4F21.exe
-
Size
897KB
-
MD5
db6bf30fd61d330a5466459124fd4f21
-
SHA1
5beef951cc1052daeca87d5ef69999b3d0cc1381
-
SHA256
20e3320ed125693938485c94c8ebf1a981ed2d717bba86f137a4b327757946fe
-
SHA512
f794a8ed161e23951299890660fd98f42cd0159aca9d6f653263170b0c63ab8b6a4ba2101f13862541440b01517da2c6348a26f1a1cec470878abe4b796474dd
-
SSDEEP
24576:KMPzX5QdJTGSQfTWJcWF2dZ7T8IY3Sd+L0S6D9:KMLqXTGSjcQmZ7QIcSEmD
Malware Config
Extracted
asyncrat
0.5.6D
Default
seznam.zapto.org:6606
seznam.zapto.org:7707
seznam.zapto.org:8808
zaqhepdivuiitce
-
delay
5
-
install
true
-
install_file
sezznam.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2992-2-0x0000000000370000-0x0000000000382000-memory.dmp family_asyncrat behavioral1/memory/2788-18-0x00000000002A0000-0x00000000002B2000-memory.dmp family_asyncrat -
Executes dropped EXE 1 IoCs
Processes:
sezznam.exepid process 2788 sezznam.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 2140 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2820 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
DB6BF30FD61D330A5466459124FD4F21.exepid process 2992 DB6BF30FD61D330A5466459124FD4F21.exe 2992 DB6BF30FD61D330A5466459124FD4F21.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DB6BF30FD61D330A5466459124FD4F21.exesezznam.exedescription pid process Token: SeDebugPrivilege 2992 DB6BF30FD61D330A5466459124FD4F21.exe Token: SeDebugPrivilege 2788 sezznam.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
DB6BF30FD61D330A5466459124FD4F21.execmd.execmd.exedescription pid process target process PID 2992 wrote to memory of 804 2992 DB6BF30FD61D330A5466459124FD4F21.exe cmd.exe PID 2992 wrote to memory of 804 2992 DB6BF30FD61D330A5466459124FD4F21.exe cmd.exe PID 2992 wrote to memory of 804 2992 DB6BF30FD61D330A5466459124FD4F21.exe cmd.exe PID 2992 wrote to memory of 804 2992 DB6BF30FD61D330A5466459124FD4F21.exe cmd.exe PID 2992 wrote to memory of 2140 2992 DB6BF30FD61D330A5466459124FD4F21.exe cmd.exe PID 2992 wrote to memory of 2140 2992 DB6BF30FD61D330A5466459124FD4F21.exe cmd.exe PID 2992 wrote to memory of 2140 2992 DB6BF30FD61D330A5466459124FD4F21.exe cmd.exe PID 2992 wrote to memory of 2140 2992 DB6BF30FD61D330A5466459124FD4F21.exe cmd.exe PID 2140 wrote to memory of 2820 2140 cmd.exe timeout.exe PID 2140 wrote to memory of 2820 2140 cmd.exe timeout.exe PID 2140 wrote to memory of 2820 2140 cmd.exe timeout.exe PID 2140 wrote to memory of 2820 2140 cmd.exe timeout.exe PID 804 wrote to memory of 2260 804 cmd.exe schtasks.exe PID 804 wrote to memory of 2260 804 cmd.exe schtasks.exe PID 804 wrote to memory of 2260 804 cmd.exe schtasks.exe PID 804 wrote to memory of 2260 804 cmd.exe schtasks.exe PID 2140 wrote to memory of 2788 2140 cmd.exe sezznam.exe PID 2140 wrote to memory of 2788 2140 cmd.exe sezznam.exe PID 2140 wrote to memory of 2788 2140 cmd.exe sezznam.exe PID 2140 wrote to memory of 2788 2140 cmd.exe sezznam.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe"C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /ru system /rl highest /tn DB6BF30FD61D330A5466459124FD4F21 /tr '"C:\Users\Admin\AppData\Roaming\sezznam.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /ru system /rl highest /tn DB6BF30FD61D330A5466459124FD4F21 /tr '"C:\Users\Admin\AppData\Roaming\sezznam.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:2260 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3AEE.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2820 -
C:\Users\Admin\AppData\Roaming\sezznam.exe"C:\Users\Admin\AppData\Roaming\sezznam.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2788
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151B
MD54004d959e6f00c5579d92bbb21995f74
SHA14dee2c1147dc571443fbcaf5dfe1ef371cb732c1
SHA25697a53bbaa866fbaa7d2ece5a81aa4617843ec422cfc2163271f997bb57d331ae
SHA512514f135308f1399fca1b1c2ca33e8465419cce19aa423c65f5231b4e0885f80c6e973ad47c250e188aff476f807d1bb201ad1a6db380d5c49c1e598d032dacee
-
Filesize
897KB
MD5db6bf30fd61d330a5466459124fd4f21
SHA15beef951cc1052daeca87d5ef69999b3d0cc1381
SHA25620e3320ed125693938485c94c8ebf1a981ed2d717bba86f137a4b327757946fe
SHA512f794a8ed161e23951299890660fd98f42cd0159aca9d6f653263170b0c63ab8b6a4ba2101f13862541440b01517da2c6348a26f1a1cec470878abe4b796474dd