Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    29-06-2024 18:26

General

  • Target

    Borat/BoratRat.exe

  • Size

    20.0MB

  • MD5

    65b694d69d327efe28fcbce125401e96

  • SHA1

    049d4d71742b99a598c074458f1f2d5b0119e912

  • SHA256

    de60ecbbfef30c93fe8875ef69b358b20076d1f969fc3d21ab44d59dc9ef7cab

  • SHA512

    7ab57642e414e134e851d9aa2ed3ef8b483f3a5f77877cdc04e08d7f95c44884f8ccc6beaf8ba7f6949cfd7398c46be46c024d4fdeacd3a332d4565609baad5b

  • SSDEEP

    393216:V+G+oTCP+Zw6NLIsFfskh1BmXGnfBd+Uw:IGpTCP+Zlnk0rmkBYUw

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • UAC bypass 3 TTPs 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • System policy modification 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe
    "C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe"
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:2416
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
      PID:2284
    • C:\Users\Admin\Desktop\Client.exe
      "C:\Users\Admin\Desktop\Client.exe"
      1⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:292
    • C:\Users\Admin\Desktop\Client.exe
      "C:\Users\Admin\Desktop\Client.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:808
    • C:\Users\Admin\Desktop\Client.exe
      "C:\Users\Admin\Desktop\Client.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2280
    • C:\Windows\system32\UserAccountControlSettings.exe
      "C:\Windows\system32\UserAccountControlSettings.exe"
      1⤵
        PID:1764
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:764

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Server\BoratRat.exe_Url_gd1rwjpue5ky1rwo1qwl5mnr5ta35yo4\1.0.7.0\user.config

        Filesize

        309B

        MD5

        0c6e4f57ebaba0cc4acfc8bb65c589f8

        SHA1

        8c021c2371b87f2570d226b419c64c3102b8d434

        SHA256

        a9539ba4eae9035b2ff715f0e755aa772b499d72ccab23af2bf5a2dc2bcfa41c

        SHA512

        c6b877ff887d029e29bf35f53006b8c84704f73b74c616bf97696d06c6ef237dff85269bdf8dfb432457b031dd52410e2b883fd86c3f54b09f0a072a689a08c0

      • C:\Users\Admin\AppData\Local\Server\BoratRat.exe_Url_gd1rwjpue5ky1rwo1qwl5mnr5ta35yo4\1.0.7.0\user.config

        Filesize

        580B

        MD5

        acb6df8bd0fe9236ea87ea6e3c28173f

        SHA1

        8b1d88bd749b58905c6db258e7224a67d1179938

        SHA256

        ec2b3fc4d011e9b8a04188d8f2ff280de854dde7d6ebf8e871e0642f789dfa5b

        SHA512

        a4222c0f5aeba58679c21361dcb6ab2c7ed1d9cae41d2839089fdb7bbaac3b8735afff8b302557f85389daa977b826cee77b944ba598e3fa6c2a16781453a832

      • C:\Users\Admin\AppData\Local\Temp\Cab82C9.tmp

        Filesize

        68KB

        MD5

        29f65ba8e88c063813cc50a4ea544e93

        SHA1

        05a7040d5c127e68c25d81cc51271ffb8bef3568

        SHA256

        1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

        SHA512

        e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      • C:\Users\Admin\AppData\Local\Temp\TarC892.tmp

        Filesize

        177KB

        MD5

        435a9ac180383f9fa094131b173a2f7b

        SHA1

        76944ea657a9db94f9a4bef38f88c46ed4166983

        SHA256

        67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

        SHA512

        1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      • C:\Users\Admin\Desktop\Client.exe

        Filesize

        56KB

        MD5

        4642ccb961eeef7581730e1012ef5883

        SHA1

        dc621c86dbae4be306394731f9da54b46e31d7e3

        SHA256

        88205c76799f0522ce69b1e4d64a27ad3fe945ec441d3a54d2b9ffefbc5a8c8f

        SHA512

        7a9c476f8fea06a747124903b8e974680be22a045ac8685f736e323566e178e79db40aee1ee30a5e09e0e547cb6011b8362359026252d74702cfaee729c4775b

      • memory/292-44-0x00000000001F0000-0x0000000000204000-memory.dmp

        Filesize

        80KB

      • memory/292-58-0x0000000000300000-0x000000000031C000-memory.dmp

        Filesize

        112KB

      • memory/292-75-0x00000000005C0000-0x00000000005CC000-memory.dmp

        Filesize

        48KB

      • memory/292-67-0x00000000002E0000-0x00000000002EE000-memory.dmp

        Filesize

        56KB

      • memory/2416-40-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

        Filesize

        9.9MB

      • memory/2416-9-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

        Filesize

        9.9MB

      • memory/2416-8-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

        Filesize

        9.9MB

      • memory/2416-10-0x0000000020A70000-0x0000000020A80000-memory.dmp

        Filesize

        64KB

      • memory/2416-41-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

        Filesize

        9.9MB

      • memory/2416-3-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

        Filesize

        9.9MB

      • memory/2416-0-0x000007FEF5C23000-0x000007FEF5C24000-memory.dmp

        Filesize

        4KB

      • memory/2416-13-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

        Filesize

        9.9MB

      • memory/2416-2-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

        Filesize

        9.9MB

      • memory/2416-12-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

        Filesize

        9.9MB

      • memory/2416-1-0x0000000001160000-0x000000000256A000-memory.dmp

        Filesize

        20.0MB

      • memory/2416-11-0x000007FEF5C23000-0x000007FEF5C24000-memory.dmp

        Filesize

        4KB