Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-06-2024 18:18

General

  • Target

    Borat/BoratRat.exe

  • Size

    20.0MB

  • MD5

    65b694d69d327efe28fcbce125401e96

  • SHA1

    049d4d71742b99a598c074458f1f2d5b0119e912

  • SHA256

    de60ecbbfef30c93fe8875ef69b358b20076d1f969fc3d21ab44d59dc9ef7cab

  • SHA512

    7ab57642e414e134e851d9aa2ed3ef8b483f3a5f77877cdc04e08d7f95c44884f8ccc6beaf8ba7f6949cfd7398c46be46c024d4fdeacd3a332d4565609baad5b

  • SSDEEP

    393216:V+G+oTCP+Zw6NLIsFfskh1BmXGnfBd+Uw:IGpTCP+Zlnk0rmkBYUw

Score
10/10

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 29 IoCs
  • Suspicious use of SendNotifyMessage 25 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe
    "C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe"
    1⤵
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:4656
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
      PID:4372
    • C:\Users\Admin\Desktop\Ccleaner.exe
      "C:\Users\Admin\Desktop\Ccleaner.exe"
      1⤵
      • Executes dropped EXE
      PID:1092
    • C:\Users\Admin\Desktop\Ccleaner.exe
      "C:\Users\Admin\Desktop\Ccleaner.exe"
      1⤵
      • Executes dropped EXE
      PID:2012
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe"
      1⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4572
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe69adab58,0x7ffe69adab68,0x7ffe69adab78
        2⤵
          PID:2932
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=2020,i,17661265542379745974,12255491780048584031,131072 /prefetch:2
          2⤵
            PID:312
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1900 --field-trial-handle=2020,i,17661265542379745974,12255491780048584031,131072 /prefetch:8
            2⤵
              PID:2656
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2148 --field-trial-handle=2020,i,17661265542379745974,12255491780048584031,131072 /prefetch:8
              2⤵
                PID:2004
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3012 --field-trial-handle=2020,i,17661265542379745974,12255491780048584031,131072 /prefetch:1
                2⤵
                  PID:3052
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3020 --field-trial-handle=2020,i,17661265542379745974,12255491780048584031,131072 /prefetch:1
                  2⤵
                    PID:3508
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4340 --field-trial-handle=2020,i,17661265542379745974,12255491780048584031,131072 /prefetch:1
                    2⤵
                      PID:940
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4268 --field-trial-handle=2020,i,17661265542379745974,12255491780048584031,131072 /prefetch:8
                      2⤵
                        PID:1144
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4600 --field-trial-handle=2020,i,17661265542379745974,12255491780048584031,131072 /prefetch:8
                        2⤵
                          PID:4412
                      • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                        1⤵
                          PID:1320

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\4561d51c-2906-47d7-944f-8f216245f7dc.tmp

                          Filesize

                          6KB

                          MD5

                          8d0d465c2e7e94c0caaa0fc3171f8d7b

                          SHA1

                          e57bb2e71194b1ad6f1794a812df4e13d289ef72

                          SHA256

                          8d9f604a33d617d3f87e80e816b24327cf6a0a437781069e36aa13c927c47c32

                          SHA512

                          ab5ce923530e72052596115fd8d8de7c685d02653d19b6f1b8d0c87c95e4fc81db7351e107a4efaa95f7f16949b6feeff92ad6a2dbf71f7b4aa4a68391cccf12

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

                          Filesize

                          264KB

                          MD5

                          f50f89a0a91564d0b8a211f8921aa7de

                          SHA1

                          112403a17dd69d5b9018b8cede023cb3b54eab7d

                          SHA256

                          b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                          SHA512

                          bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                          Filesize

                          1KB

                          MD5

                          50c0005b07a0a2ef433dcb51d7256701

                          SHA1

                          21f8c9e562231416eb2b836a3a8bbf47326a3f45

                          SHA256

                          a93072eb1c4a2c18b9b15750043db98a3b8df0fe8861f1bea38a5d4de7a430ae

                          SHA512

                          3502093365ce47784b0946c5e623df184a94c5453b7b2e1756d4e53dc45556ad63d55b64d42516c0618e1ee53fba47f3c41b2bc6f8bdb00cf9118b7c991b48a8

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                          Filesize

                          2B

                          MD5

                          d751713988987e9331980363e24189ce

                          SHA1

                          97d170e1550eee4afc0af065b78cda302a97674c

                          SHA256

                          4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                          SHA512

                          b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                          Filesize

                          356B

                          MD5

                          fada4ce43fe037c532cf0a28908a663b

                          SHA1

                          672013912b3c4fd38082a6541c0de65c3af924b3

                          SHA256

                          2bf1ba9731295f8ba12c46bf26c41ce2dd1990810e568a6e8f6399e4d7d17d70

                          SHA512

                          77771f905c59128f8b0ada257f738be0151ddd413912d307b6b58cf211d73c9917b3c15a562994ef2076d1ef4f607913b3d406f6d5d15c03e12b5dbedeb1f1c7

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                          Filesize

                          129KB

                          MD5

                          f2bcfc7377dafae543bfaaeb810722c5

                          SHA1

                          10228ac0573343fab6f990730cb05097455cc6b9

                          SHA256

                          6c914226304adb788e96d1b6725655bbe08014d99213c772413894243b1aaa08

                          SHA512

                          69de05421d1207c167e2248ee4ea5e0b19b01191e9370d6d230b76514eec3ae0ab7ff32c0e20aed2922f97afcc19855dcbd9221fa6e84b3a53cdbc5ff0637850

                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Ccleaner.exe.log

                          Filesize

                          226B

                          MD5

                          28d7fcc2b910da5e67ebb99451a5f598

                          SHA1

                          a5bf77a53eda1208f4f37d09d82da0b9915a6747

                          SHA256

                          2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c

                          SHA512

                          2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

                        • C:\Users\Admin\Desktop\Ccleaner.exe

                          Filesize

                          56KB

                          MD5

                          47a549213035dfa857c813a4758a2359

                          SHA1

                          f1054ae0bd8ac88f5fd7bfd8d415a79a60ea16d9

                          SHA256

                          9f541fab9df17f2e088be6bc2f9c65d92538c22d1df270501e87f3a7fc819fa7

                          SHA512

                          833cba5113224cfba9caec905f9791a99289065ce0091d37ec8fec1f4b2256793cdeae2181f51ea1934a667dfaef650f984e5c2527ed76dad4d11616de32bf9e

                        • \??\pipe\crashpad_4572_RLKDEAHPQTLKQPTD

                          MD5

                          d41d8cd98f00b204e9800998ecf8427e

                          SHA1

                          da39a3ee5e6b4b0d3255bfef95601890afd80709

                          SHA256

                          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                          SHA512

                          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                        • memory/1092-32-0x0000000000C40000-0x0000000000C54000-memory.dmp

                          Filesize

                          80KB

                        • memory/4656-7-0x00007FFE5AA80000-0x00007FFE5B541000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/4656-15-0x00007FFE5AA80000-0x00007FFE5B541000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/4656-14-0x00007FFE5AA80000-0x00007FFE5B541000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/4656-13-0x00007FFE5AA80000-0x00007FFE5B541000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/4656-34-0x00007FFE5AA80000-0x00007FFE5B541000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/4656-12-0x00007FFE5AA80000-0x00007FFE5B541000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/4656-9-0x00007FFE5AA80000-0x00007FFE5B541000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/4656-8-0x00007FFE5AA83000-0x00007FFE5AA85000-memory.dmp

                          Filesize

                          8KB

                        • memory/4656-0-0x00007FFE5AA83000-0x00007FFE5AA85000-memory.dmp

                          Filesize

                          8KB

                        • memory/4656-4-0x00007FFE5AA80000-0x00007FFE5B541000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/4656-3-0x00007FFE5AA80000-0x00007FFE5B541000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/4656-2-0x00007FFE5AA80000-0x00007FFE5B541000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/4656-1-0x000001C792F60000-0x000001C79436A000-memory.dmp

                          Filesize

                          20.0MB