Analysis
-
max time kernel
135s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 16:16
Static task
static1
Behavioral task
behavioral1
Sample
DB6BF30FD61D330A5466459124FD4F21.exe
Resource
win7-20240508-en
General
-
Target
DB6BF30FD61D330A5466459124FD4F21.exe
-
Size
897KB
-
MD5
db6bf30fd61d330a5466459124fd4f21
-
SHA1
5beef951cc1052daeca87d5ef69999b3d0cc1381
-
SHA256
20e3320ed125693938485c94c8ebf1a981ed2d717bba86f137a4b327757946fe
-
SHA512
f794a8ed161e23951299890660fd98f42cd0159aca9d6f653263170b0c63ab8b6a4ba2101f13862541440b01517da2c6348a26f1a1cec470878abe4b796474dd
-
SSDEEP
24576:KMPzX5QdJTGSQfTWJcWF2dZ7T8IY3Sd+L0S6D9:KMLqXTGSjcQmZ7QIcSEmD
Malware Config
Extracted
asyncrat
0.5.6D
Default
seznam.zapto.org:6606
seznam.zapto.org:7707
seznam.zapto.org:8808
zaqhepdivuiitce
-
delay
5
-
install
true
-
install_file
sezznam.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2624-4-0x0000000004B00000-0x0000000004B12000-memory.dmp family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
DB6BF30FD61D330A5466459124FD4F21.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation DB6BF30FD61D330A5466459124FD4F21.exe -
Executes dropped EXE 1 IoCs
Processes:
sezznam.exepid process 4064 sezznam.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2536 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
DB6BF30FD61D330A5466459124FD4F21.exepid process 2624 DB6BF30FD61D330A5466459124FD4F21.exe 2624 DB6BF30FD61D330A5466459124FD4F21.exe 2624 DB6BF30FD61D330A5466459124FD4F21.exe 2624 DB6BF30FD61D330A5466459124FD4F21.exe 2624 DB6BF30FD61D330A5466459124FD4F21.exe 2624 DB6BF30FD61D330A5466459124FD4F21.exe 2624 DB6BF30FD61D330A5466459124FD4F21.exe 2624 DB6BF30FD61D330A5466459124FD4F21.exe 2624 DB6BF30FD61D330A5466459124FD4F21.exe 2624 DB6BF30FD61D330A5466459124FD4F21.exe 2624 DB6BF30FD61D330A5466459124FD4F21.exe 2624 DB6BF30FD61D330A5466459124FD4F21.exe 2624 DB6BF30FD61D330A5466459124FD4F21.exe 2624 DB6BF30FD61D330A5466459124FD4F21.exe 2624 DB6BF30FD61D330A5466459124FD4F21.exe 2624 DB6BF30FD61D330A5466459124FD4F21.exe 2624 DB6BF30FD61D330A5466459124FD4F21.exe 2624 DB6BF30FD61D330A5466459124FD4F21.exe 2624 DB6BF30FD61D330A5466459124FD4F21.exe 2624 DB6BF30FD61D330A5466459124FD4F21.exe 2624 DB6BF30FD61D330A5466459124FD4F21.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DB6BF30FD61D330A5466459124FD4F21.exesezznam.exedescription pid process Token: SeDebugPrivilege 2624 DB6BF30FD61D330A5466459124FD4F21.exe Token: SeDebugPrivilege 4064 sezznam.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
DB6BF30FD61D330A5466459124FD4F21.execmd.execmd.exedescription pid process target process PID 2624 wrote to memory of 4736 2624 DB6BF30FD61D330A5466459124FD4F21.exe cmd.exe PID 2624 wrote to memory of 4736 2624 DB6BF30FD61D330A5466459124FD4F21.exe cmd.exe PID 2624 wrote to memory of 4736 2624 DB6BF30FD61D330A5466459124FD4F21.exe cmd.exe PID 2624 wrote to memory of 4056 2624 DB6BF30FD61D330A5466459124FD4F21.exe cmd.exe PID 2624 wrote to memory of 4056 2624 DB6BF30FD61D330A5466459124FD4F21.exe cmd.exe PID 2624 wrote to memory of 4056 2624 DB6BF30FD61D330A5466459124FD4F21.exe cmd.exe PID 4056 wrote to memory of 2536 4056 cmd.exe timeout.exe PID 4056 wrote to memory of 2536 4056 cmd.exe timeout.exe PID 4056 wrote to memory of 2536 4056 cmd.exe timeout.exe PID 4736 wrote to memory of 2948 4736 cmd.exe schtasks.exe PID 4736 wrote to memory of 2948 4736 cmd.exe schtasks.exe PID 4736 wrote to memory of 2948 4736 cmd.exe schtasks.exe PID 4056 wrote to memory of 4064 4056 cmd.exe sezznam.exe PID 4056 wrote to memory of 4064 4056 cmd.exe sezznam.exe PID 4056 wrote to memory of 4064 4056 cmd.exe sezznam.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe"C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /ru system /rl highest /tn DB6BF30FD61D330A5466459124FD4F21 /tr '"C:\Users\Admin\AppData\Roaming\sezznam.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /ru system /rl highest /tn DB6BF30FD61D330A5466459124FD4F21 /tr '"C:\Users\Admin\AppData\Roaming\sezznam.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:2948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp51AA.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2536 -
C:\Users\Admin\AppData\Roaming\sezznam.exe"C:\Users\Admin\AppData\Roaming\sezznam.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4064
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151B
MD5cc253ea7aa5888de745eca0241517cf3
SHA1e64e59f5da66409852ebbc2e1507d156a16a51d7
SHA256a17c4ba8511e019790a02ac3df054ff44f6fae3e36dcd3bb89cb9658695dd807
SHA512f8a3e1e829f7e3394cd9b84a9e50545f3874ca220c095be3191a2e454d4614756a68f7cf26dec1d0a751c69b2154f30afc5348df01aa3615e50a6683fe1fd625
-
Filesize
897KB
MD5db6bf30fd61d330a5466459124fd4f21
SHA15beef951cc1052daeca87d5ef69999b3d0cc1381
SHA25620e3320ed125693938485c94c8ebf1a981ed2d717bba86f137a4b327757946fe
SHA512f794a8ed161e23951299890660fd98f42cd0159aca9d6f653263170b0c63ab8b6a4ba2101f13862541440b01517da2c6348a26f1a1cec470878abe4b796474dd