Overview

overview

10

Static

static

7

De4dot [Mo...t].rar

windows10-2004-x64

10

Analysis

  • max time kernel
    116s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-08-2024 11:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    De4dot [Modded ArmDot].rar

  • Size

    1.6MB

  • MD5

    342e5985f616e188d6c8e36646c64afa

  • SHA1

    5a63d72d930d84099132e26191d7744ebc59eebb

  • SHA256

    e78ca92972b835e979464db8ace1c68f41091a442caff0009076155c8fefe285

  • SHA512

    eafb9b599cf8a4fc4f598745a0c21e9358560fcfac4d6e32674bc7cdd1e391d11a831fe0519005c767071a030fc55fae71f45373406d150a3923164553c994c1

  • SSDEEP

    49152:sC+xacTJtRU+AkF97tPnq+xacTJtRU+A9yVKn2IuA/:OJ2wD7t/J2M83uG

Score
10/10
asyncratd4dotrat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

D4Dot

C2

154.61.75.91:4449

Attributes
  • delay

    1

  • install

    true

  • install_file

    D4dot.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\De4dot [Modded ArmDot].rar"
    1⤵
    • Modifies registry class
    PID:1284
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3456
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4272
    • C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\De4dot [Modded ArmDot]\" -spe -an -ai#7zMap11878:102:7zEvent26861
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:4572
    • C:\Users\Admin\Desktop\De4dot [Modded ArmDot]\de4dot -64.exe
      "C:\Users\Admin\Desktop\De4dot [Modded ArmDot]\de4dot -64.exe" "C:\Users\Admin\Desktop\De4dot [Modded ArmDot]\de4dot.exe"
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:832
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "D4dot" /tr '"C:\Users\Admin\AppData\Roaming\D4dot.exe"' & exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2204
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "D4dot" /tr '"C:\Users\Admin\AppData\Roaming\D4dot.exe"'
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:636
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8AA7.tmp.bat""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4852
        • C:\Windows\system32\timeout.exe
          timeout 3
          3⤵
          • Delays execution with timeout.exe
          PID:840
        • C:\Users\Admin\AppData\Roaming\D4dot.exe
          "C:\Users\Admin\AppData\Roaming\D4dot.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:720
    • C:\Users\Admin\Desktop\De4dot [Modded ArmDot]\de4dot.exe
      "C:\Users\Admin\Desktop\De4dot [Modded ArmDot]\de4dot.exe" "C:\Users\Admin\Desktop\De4dot [Modded ArmDot]\de4dot -64.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4332

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp8AA7.tmp.bat
      Filesize

      149B

      MD5

      722e4838090d485c3140e509074f1375

      SHA1

      891e8cfb3b0f1e7c3f441ee1f2869eab2cb94adf

      SHA256

      5d25b8532205c9ed34c0cb088f70877966da0dcca377fd1e315a8e60179c1ac0

      SHA512

      add32ac91a93ff537a418661ab1f0fdc63544f37f76a948f32bdbf343ddd32f8e3dff987d4c1fe4b75e8fddc68efe6016417e5f16034037218db840e59d62444

      Download Submit

    • C:\Users\Admin\Desktop\De4dot [Modded ArmDot]\de4dot -64.exe
      Filesize

      864KB

      MD5

      5adaa98a0b8e6411899f38807992afc6

      SHA1

      286990f8674e0369a9c27f4ffc346383c5c4b03e

      SHA256

      956a589c4da96ec8386890e9500918dfbfbab1caaae0adc0b9366fa25dc46e52

      SHA512

      700be06def67aa38426cef84d1394f2eb6b30a198857f48df0d6449e85251ee8af764f2574c66e769980275613738056c68c4dfbd0bd74dc255e5dd90254fff6

      Download Submit

    • C:\Users\Admin\Desktop\De4dot [Modded ArmDot]\de4dot.exe.config
      Filesize

      386B

      MD5

      7d85bf81018e3346cc1360ab54891b53

      SHA1

      39a189f5eb68c9d7ddc83eff779bf0097f4a485a

      SHA256

      6ac7546263b4c4805085897b4d871e46dfbe9b2e52a19b0e23ae7bc37f473bc1

      SHA512

      ab6c2dc32b926b4b1c5a683caa5c2971bac6860907fb5204b6a30c49d1decb0d41d0d1f3f9e4b1aa6e3096e25691d285440c3c74172d20b148ad527dc91132e2

      Download Submit

    • memory/832-46-0x00000000006D0000-0x00000000007AE000-memory.dmp

      Filesize

      888KB

      Download

    • memory/832-47-0x00000000010D0000-0x0000000001112000-memory.dmp

      Filesize

      264KB

      Download