Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
09-08-2024 11:30
General
-
Target
De4dot [Modded ArmDot]/de4dot.exe
-
Size
864KB
-
MD5
5adaa98a0b8e6411899f38807992afc6
-
SHA1
286990f8674e0369a9c27f4ffc346383c5c4b03e
-
SHA256
956a589c4da96ec8386890e9500918dfbfbab1caaae0adc0b9366fa25dc46e52
-
SHA512
700be06def67aa38426cef84d1394f2eb6b30a198857f48df0d6449e85251ee8af764f2574c66e769980275613738056c68c4dfbd0bd74dc255e5dd90254fff6
-
SSDEEP
24576:H/1vb3S3HSpqUXw/bD/ZOGsoXio18NwV+Zg:JiHaIg/obVYg
Malware Config
Extracted
asyncrat
5.0.5
D4Dot
154.61.75.91:4449
-
delay
1
-
install
true
-
install_file
D4dot.exe
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Async RAT payload 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\De4dot [Modded ArmDot]\de4dot.exe"C:\Users\Admin\AppData\Local\Temp\De4dot [Modded ArmDot]\de4dot.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "D4dot" /tr '"C:\Users\Admin\AppData\Roaming\D4dot.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "D4dot" /tr '"C:\Users\Admin\AppData\Roaming\D4dot.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD0C7.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\D4dot.exe"C:\Users\Admin\AppData\Roaming\D4dot.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
149B
MD587e791dad54ad03c671f534d23c29b26
SHA122df7936191ce959eebd9819532d76622d0f3954
SHA256b40886719be23bc9251cf12edcf3edd4d855039db9e43c405a840b4594b23e63
SHA512fa783d643e49aa8ab8e9e4432cc5679eb611dbb4dba44efd25dd6d664f43fec96ea385122d9c0165440f83b36a4b61ea6543d0ff371b5963d69a67f023654e2b
-
Filesize
864KB
MD55adaa98a0b8e6411899f38807992afc6
SHA1286990f8674e0369a9c27f4ffc346383c5c4b03e
SHA256956a589c4da96ec8386890e9500918dfbfbab1caaae0adc0b9366fa25dc46e52
SHA512700be06def67aa38426cef84d1394f2eb6b30a198857f48df0d6449e85251ee8af764f2574c66e769980275613738056c68c4dfbd0bd74dc255e5dd90254fff6
-
Filesize
4KB
-
Filesize
888KB
-
Filesize
264KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
888KB