Analysis
-
max time kernel
144s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03-08-2024 02:24
Static task
static1
Behavioral task
behavioral1
Sample
e9837fc1d609e0084452590c09746a89af73ec6abf45a26ab58a4d48c9ebceac.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
e9837fc1d609e0084452590c09746a89af73ec6abf45a26ab58a4d48c9ebceac.exe
Resource
win10v2004-20240802-en
General
-
Target
e9837fc1d609e0084452590c09746a89af73ec6abf45a26ab58a4d48c9ebceac.exe
-
Size
1007KB
-
MD5
c1619d951b039ce9cb600815e8b14b26
-
SHA1
4def66d57b972beb3065a29ed1fe88610943d383
-
SHA256
e9837fc1d609e0084452590c09746a89af73ec6abf45a26ab58a4d48c9ebceac
-
SHA512
c1f071ab1cbe2e12576227a69618f2a717d49c6fa632280b2d769c53c1c8d89bfe51bd524f5aed13fb67d84109e4aa99ec05d96a589284f275135f036bdb2edc
-
SSDEEP
24576:heAy4u8ZernsYvWwUIGOh5rE1xrJK06WwkS9Ev95FZCyGWsfe:Iyern6VIVqxrJ5KyvVZCyGWsfe
Malware Config
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/3364-1056-0x00000000059D0000-0x00000000059EA000-memory.dmp family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation e9837fc1d609e0084452590c09746a89af73ec6abf45a26ab58a4d48c9ebceac.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kzaibmgvot = "C:\\Users\\Admin\\AppData\\Roaming\\Kzaibmgvot.exe" e9837fc1d609e0084452590c09746a89af73ec6abf45a26ab58a4d48c9ebceac.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e9837fc1d609e0084452590c09746a89af73ec6abf45a26ab58a4d48c9ebceac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_compiler.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 3764 timeout.exe 624 timeout.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4888 e9837fc1d609e0084452590c09746a89af73ec6abf45a26ab58a4d48c9ebceac.exe Token: SeDebugPrivilege 4888 e9837fc1d609e0084452590c09746a89af73ec6abf45a26ab58a4d48c9ebceac.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4888 wrote to memory of 3612 4888 e9837fc1d609e0084452590c09746a89af73ec6abf45a26ab58a4d48c9ebceac.exe 84 PID 4888 wrote to memory of 3612 4888 e9837fc1d609e0084452590c09746a89af73ec6abf45a26ab58a4d48c9ebceac.exe 84 PID 4888 wrote to memory of 3612 4888 e9837fc1d609e0084452590c09746a89af73ec6abf45a26ab58a4d48c9ebceac.exe 84 PID 3612 wrote to memory of 3764 3612 cmd.exe 86 PID 3612 wrote to memory of 3764 3612 cmd.exe 86 PID 3612 wrote to memory of 3764 3612 cmd.exe 86 PID 4888 wrote to memory of 400 4888 e9837fc1d609e0084452590c09746a89af73ec6abf45a26ab58a4d48c9ebceac.exe 87 PID 4888 wrote to memory of 400 4888 e9837fc1d609e0084452590c09746a89af73ec6abf45a26ab58a4d48c9ebceac.exe 87 PID 4888 wrote to memory of 400 4888 e9837fc1d609e0084452590c09746a89af73ec6abf45a26ab58a4d48c9ebceac.exe 87 PID 400 wrote to memory of 624 400 cmd.exe 89 PID 400 wrote to memory of 624 400 cmd.exe 89 PID 400 wrote to memory of 624 400 cmd.exe 89 PID 4888 wrote to memory of 3364 4888 e9837fc1d609e0084452590c09746a89af73ec6abf45a26ab58a4d48c9ebceac.exe 91 PID 4888 wrote to memory of 3364 4888 e9837fc1d609e0084452590c09746a89af73ec6abf45a26ab58a4d48c9ebceac.exe 91 PID 4888 wrote to memory of 3364 4888 e9837fc1d609e0084452590c09746a89af73ec6abf45a26ab58a4d48c9ebceac.exe 91 PID 4888 wrote to memory of 3364 4888 e9837fc1d609e0084452590c09746a89af73ec6abf45a26ab58a4d48c9ebceac.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9837fc1d609e0084452590c09746a89af73ec6abf45a26ab58a4d48c9ebceac.exe"C:\Users\Admin\AppData\Local\Temp\e9837fc1d609e0084452590c09746a89af73ec6abf45a26ab58a4d48c9ebceac.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 52⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\timeout.exetimeout 53⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3764
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 52⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\timeout.exetimeout 53⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:624
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
- System Location Discovery: System Language Discovery
PID:3364
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request205.47.74.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request73.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestcamanopetro.con-ip.comIN AResponsecamanopetro.con-ip.comIN A64.188.9.173
-
Remote address:8.8.8.8:53Requestcamanopetro.con-ip.comIN AResponsecamanopetro.con-ip.comIN A64.188.9.173
-
Remote address:8.8.8.8:53Request73.144.22.2.in-addr.arpaIN PTRResponse73.144.22.2.in-addr.arpaIN PTRa2-22-144-73deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request14.227.111.52.in-addr.arpaIN PTRResponse
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
205.47.74.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
73.31.126.40.in-addr.arpa
-
136 B 168 B 2 2
DNS Request
camanopetro.con-ip.com
DNS Request
camanopetro.con-ip.com
DNS Response
64.188.9.173
DNS Response
64.188.9.173
-
70 B 133 B 1 1
DNS Request
73.144.22.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.227.111.52.in-addr.arpa