Malware Analysis Report

2024-10-23 19:27

Sample ID 240629-tqsakstgkk
Target DB6BF30FD61D330A5466459124FD4F21.exe
SHA256 20e3320ed125693938485c94c8ebf1a981ed2d717bba86f137a4b327757946fe
Tags
asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

20e3320ed125693938485c94c8ebf1a981ed2d717bba86f137a4b327757946fe

Threat Level: Known bad

The file DB6BF30FD61D330A5466459124FD4F21.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat

AsyncRat

Async RAT payload

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Delays execution with timeout.exe

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-29 16:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-29 16:16

Reported

2024-06-29 16:18

Platform

win7-20240508-en

Max time kernel

120s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\sezznam.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\sezznam.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2992 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe C:\Windows\SysWOW64\cmd.exe
PID 2140 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2140 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2140 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2140 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 804 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 804 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 804 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 804 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2140 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\sezznam.exe
PID 2140 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\sezznam.exe
PID 2140 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\sezznam.exe
PID 2140 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\sezznam.exe

Processes

C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe

"C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /ru system /rl highest /tn DB6BF30FD61D330A5466459124FD4F21 /tr '"C:\Users\Admin\AppData\Roaming\sezznam.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3AEE.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /ru system /rl highest /tn DB6BF30FD61D330A5466459124FD4F21 /tr '"C:\Users\Admin\AppData\Roaming\sezznam.exe"'

C:\Users\Admin\AppData\Roaming\sezznam.exe

"C:\Users\Admin\AppData\Roaming\sezznam.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 seznam.zapto.org udp
US 172.232.164.13:8808 seznam.zapto.org tcp

Files

memory/2992-0-0x00000000748FE000-0x00000000748FF000-memory.dmp

memory/2992-1-0x0000000000C60000-0x0000000000D46000-memory.dmp

memory/2992-2-0x0000000000370000-0x0000000000382000-memory.dmp

memory/2992-3-0x00000000748F0000-0x0000000074FDE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3AEE.tmp.bat

MD5 4004d959e6f00c5579d92bbb21995f74
SHA1 4dee2c1147dc571443fbcaf5dfe1ef371cb732c1
SHA256 97a53bbaa866fbaa7d2ece5a81aa4617843ec422cfc2163271f997bb57d331ae
SHA512 514f135308f1399fca1b1c2ca33e8465419cce19aa423c65f5231b4e0885f80c6e973ad47c250e188aff476f807d1bb201ad1a6db380d5c49c1e598d032dacee

memory/2992-13-0x00000000748F0000-0x0000000074FDE000-memory.dmp

\Users\Admin\AppData\Roaming\sezznam.exe

MD5 db6bf30fd61d330a5466459124fd4f21
SHA1 5beef951cc1052daeca87d5ef69999b3d0cc1381
SHA256 20e3320ed125693938485c94c8ebf1a981ed2d717bba86f137a4b327757946fe
SHA512 f794a8ed161e23951299890660fd98f42cd0159aca9d6f653263170b0c63ab8b6a4ba2101f13862541440b01517da2c6348a26f1a1cec470878abe4b796474dd

memory/2788-17-0x00000000008A0000-0x0000000000986000-memory.dmp

memory/2788-18-0x00000000002A0000-0x00000000002B2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-29 16:16

Reported

2024-06-29 16:18

Platform

win10v2004-20240611-en

Max time kernel

135s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\sezznam.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\sezznam.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2624 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe C:\Windows\SysWOW64\cmd.exe
PID 4056 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4056 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4056 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4736 wrote to memory of 2948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4736 wrote to memory of 2948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4736 wrote to memory of 2948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4056 wrote to memory of 4064 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\sezznam.exe
PID 4056 wrote to memory of 4064 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\sezznam.exe
PID 4056 wrote to memory of 4064 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\sezznam.exe

Processes

C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe

"C:\Users\Admin\AppData\Local\Temp\DB6BF30FD61D330A5466459124FD4F21.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /ru system /rl highest /tn DB6BF30FD61D330A5466459124FD4F21 /tr '"C:\Users\Admin\AppData\Roaming\sezznam.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp51AA.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /ru system /rl highest /tn DB6BF30FD61D330A5466459124FD4F21 /tr '"C:\Users\Admin\AppData\Roaming\sezznam.exe"'

C:\Users\Admin\AppData\Roaming\sezznam.exe

"C:\Users\Admin\AppData\Roaming\sezznam.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 seznam.zapto.org udp
US 172.232.164.13:7707 seznam.zapto.org tcp
US 8.8.8.8:53 13.164.232.172.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/2624-0-0x000000007457E000-0x000000007457F000-memory.dmp

memory/2624-1-0x00000000000C0000-0x00000000001A6000-memory.dmp

memory/2624-2-0x00000000051D0000-0x0000000005774000-memory.dmp

memory/2624-3-0x0000000004C20000-0x0000000004CB2000-memory.dmp

memory/2624-4-0x0000000004B00000-0x0000000004B12000-memory.dmp

memory/2624-5-0x0000000004CC0000-0x0000000004D5C000-memory.dmp

memory/2624-6-0x0000000074570000-0x0000000074D20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp51AA.tmp.bat

MD5 cc253ea7aa5888de745eca0241517cf3
SHA1 e64e59f5da66409852ebbc2e1507d156a16a51d7
SHA256 a17c4ba8511e019790a02ac3df054ff44f6fae3e36dcd3bb89cb9658695dd807
SHA512 f8a3e1e829f7e3394cd9b84a9e50545f3874ca220c095be3191a2e454d4614756a68f7cf26dec1d0a751c69b2154f30afc5348df01aa3615e50a6683fe1fd625

memory/2624-12-0x0000000074570000-0x0000000074D20000-memory.dmp

C:\Users\Admin\AppData\Roaming\sezznam.exe

MD5 db6bf30fd61d330a5466459124fd4f21
SHA1 5beef951cc1052daeca87d5ef69999b3d0cc1381
SHA256 20e3320ed125693938485c94c8ebf1a981ed2d717bba86f137a4b327757946fe
SHA512 f794a8ed161e23951299890660fd98f42cd0159aca9d6f653263170b0c63ab8b6a4ba2101f13862541440b01517da2c6348a26f1a1cec470878abe4b796474dd

memory/4064-16-0x0000000074570000-0x0000000074D20000-memory.dmp

memory/4064-17-0x0000000074570000-0x0000000074D20000-memory.dmp

memory/4064-20-0x0000000006660000-0x00000000066C6000-memory.dmp

memory/4064-21-0x0000000074570000-0x0000000074D20000-memory.dmp