Analysis

  • max time kernel
    149s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    29-06-2024 18:21

General

  • Target

    Borat/BoratRat.exe

  • Size

    20.0MB

  • MD5

    65b694d69d327efe28fcbce125401e96

  • SHA1

    049d4d71742b99a598c074458f1f2d5b0119e912

  • SHA256

    de60ecbbfef30c93fe8875ef69b358b20076d1f969fc3d21ab44d59dc9ef7cab

  • SHA512

    7ab57642e414e134e851d9aa2ed3ef8b483f3a5f77877cdc04e08d7f95c44884f8ccc6beaf8ba7f6949cfd7398c46be46c024d4fdeacd3a332d4565609baad5b

  • SSDEEP

    393216:V+G+oTCP+Zw6NLIsFfskh1BmXGnfBd+Uw:IGpTCP+Zlnk0rmkBYUw

Score
10/10

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe
    "C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe"
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:2924
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
      PID:2628
    • C:\Users\Admin\Desktop\Client.exe
      "C:\Users\Admin\Desktop\Client.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:608

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Server\BoratRat.exe_Url_gd1rwjpue5ky1rwo1qwl5mnr5ta35yo4\1.0.7.0\user.config

      Filesize

      309B

      MD5

      0c6e4f57ebaba0cc4acfc8bb65c589f8

      SHA1

      8c021c2371b87f2570d226b419c64c3102b8d434

      SHA256

      a9539ba4eae9035b2ff715f0e755aa772b499d72ccab23af2bf5a2dc2bcfa41c

      SHA512

      c6b877ff887d029e29bf35f53006b8c84704f73b74c616bf97696d06c6ef237dff85269bdf8dfb432457b031dd52410e2b883fd86c3f54b09f0a072a689a08c0

    • C:\Users\Admin\AppData\Local\Server\BoratRat.exe_Url_gd1rwjpue5ky1rwo1qwl5mnr5ta35yo4\1.0.7.0\user.config

      Filesize

      1KB

      MD5

      1a2f6590a315ad14e912f73788c51b10

      SHA1

      84edd3f054314e6854cfd4e6cc576c13bdf3d6c7

      SHA256

      0d1f78db40e281dea8844394736f7a34f2a5e10f6a27324bba042d2fb6a52cf3

      SHA512

      6bc6ff4384fdcc7f3779bd70ca3da5a3522dc28283b64d7aed37a64c36aa77799a841aa782e10ec2e3d48e7c99f740b0d5c5acc0eb07d7f484fbd470f25a0d8c

    • C:\Users\Admin\AppData\Local\Temp\CabD7A.tmp

      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    • C:\Users\Admin\Desktop\Client.exe

      Filesize

      56KB

      MD5

      488b7dde15dd6432e01e147d8f872cbf

      SHA1

      add51da2dd99fe4cb4ebcc8245320344c316edbd

      SHA256

      82c92e3c5d4801ac2349db481cf30c9ee40b9460bed84a12aaf330fffd4b28da

      SHA512

      2f9fdd1c6749a492cf453f3b85cd893e48c26669ec6f13463dbde88626edaf7abe37195fb93b0fa2eff351d35de3d7dd881c159af743b96b0f74b3a964f86c72

    • C:\Users\Admin\Desktop\Client.exe

      Filesize

      56KB

      MD5

      74e8bc60a681a0d19de0da352a645db3

      SHA1

      fcf93dee2de23e1f7c78038c88ca3abcb905bf0a

      SHA256

      2711b4d4066239b49855f1c6569cf041c0ec4aa3baac659c7e18e917f8e495b2

      SHA512

      3342bec9a1ecc5836061b6d07e94a8b37c3fae7f9c20055788f87905cd3d81f5737fd60c6395eed890da40108e49590ea667d786140c2e239af0762f70360415

    • memory/608-74-0x00000000003A0000-0x00000000003B4000-memory.dmp

      Filesize

      80KB

    • memory/2924-3-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

      Filesize

      9.9MB

    • memory/2924-11-0x0000000020260000-0x0000000020270000-memory.dmp

      Filesize

      64KB

    • memory/2924-14-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

      Filesize

      9.9MB

    • memory/2924-10-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

      Filesize

      9.9MB

    • memory/2924-9-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

      Filesize

      9.9MB

    • memory/2924-8-0x000007FEF5E03000-0x000007FEF5E04000-memory.dmp

      Filesize

      4KB

    • memory/2924-0-0x000007FEF5E03000-0x000007FEF5E04000-memory.dmp

      Filesize

      4KB

    • memory/2924-2-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

      Filesize

      9.9MB

    • memory/2924-1-0x0000000000F30000-0x000000000233A000-memory.dmp

      Filesize

      20.0MB