Overview

overview

10

Static

static

10

svchost.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    169s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    31-07-2024 15:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    svchost.exe

  • Size

    63KB

  • MD5

    6fcae16ecca8f23f2195303c254bf3b7

  • SHA1

    09c01f22621ae484af43d6646d1aa0141cdc75be

  • SHA256

    e3ed12c6ddd0437e670d1524b39e33fa67f262de1195b9833d353151a86498b9

  • SHA512

    1f27a1ae0b14485b35f25c1bf81e098246be4ed007ec3275a9277bb795e12ed56a0755d3b7c4a1fff973a24561d71b7157e78d4be489f90b47262b4303caabbc

  • SSDEEP

    1536:RhMpLbRQkB4+ENdZceiHFGbbXwLtok9GIkpqKmY7:RhMpLbRQkB4tdOeoGbbXc2kNvz

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Version

1.2

Botnet

Default

C2

stores-less.gl.at.ply.gg:45080

Mutex

AtomRatMutex_penka

Attributes
  • delay

    1

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2688
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1924
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1704
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE07D.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2456
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:1836
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2312
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:5008
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4804

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log
      Filesize

      425B

      MD5

      2ead231ce66abe78de975d1b05d590a4

      SHA1

      c269fde7c1d36005928089b0689cecd0a2bc1e1c

      SHA256

      71879c54d43afa910afbabfc59235151a78b42049f79f152773fbfca74b2f294

      SHA512

      038480a37fe4227fe04f7323fea842037df486901aab0529145046718ffb48c99e62107f534857ca0023dbb5b72be778bc4911ae2873c01ad826865c44537fdd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpE07D.tmp.bat
      Filesize

      151B

      MD5

      3e7bb3b408a4461eb69c49fedd925905

      SHA1

      ac2d1ac10d57ca676a97f213109b1a442cbb93ba

      SHA256

      63f3ac437df5e104eabc2830b98f4630ab6d3ef37b2167d3ba10b943fb81dfa9

      SHA512

      bee749f1c87a60aa90c4bfe067ab0c3fc85c5ccfc9c84aed482c2d86c6dd0967e5dc63c186a5780ec24cbbe6449d8be012b5624df3d30b06c5e85ff3d4d958b7

      Download Submit

    • C:\Users\Admin\AppData\Roaming\svchost.exe
      Filesize

      63KB

      MD5

      6fcae16ecca8f23f2195303c254bf3b7

      SHA1

      09c01f22621ae484af43d6646d1aa0141cdc75be

      SHA256

      e3ed12c6ddd0437e670d1524b39e33fa67f262de1195b9833d353151a86498b9

      SHA512

      1f27a1ae0b14485b35f25c1bf81e098246be4ed007ec3275a9277bb795e12ed56a0755d3b7c4a1fff973a24561d71b7157e78d4be489f90b47262b4303caabbc

      Download Submit

    • memory/2688-0-0x00007FFB5DDC3000-0x00007FFB5DDC4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2688-1-0x0000020FC3550000-0x0000020FC3566000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2688-2-0x00007FFB5DDC0000-0x00007FFB5E7AC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2688-12-0x00007FFB5DDC0000-0x00007FFB5E7AC000-memory.dmp

      Filesize

      9.9MB

      Download