Analysis
-
max time kernel
26s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
05/09/2024, 14:59
Behavioral task
behavioral1
Sample
988b8d3ae9f2303ee25180c3aba36130N.exe
Resource
win7-20240704-en
General
-
Target
988b8d3ae9f2303ee25180c3aba36130N.exe
-
Size
60KB
-
MD5
988b8d3ae9f2303ee25180c3aba36130
-
SHA1
8b582769709c5c762740631a0aefc7f93f51c1c9
-
SHA256
6ffe8e2aa7ebc17267ea90ddc0449d4f60306befd644adb60a26cbf9690f8ec6
-
SHA512
21e11756a79b13fce2f5df5fca50ad18696fa6eba2b13245afef12d10cd9840761e0e4519e85cee5d5ac3fbac9c8b37aabec1e79e96a913277abc43ba1201832
-
SSDEEP
1536:lEKVoSSTTeBfSIUG+q25b4MwXVwcTXAFI1+:uKiiBqIUG+q25b4McTXAag
Malware Config
Extracted
asyncrat
SuperBoo Rat v1.1
Default
com-distinct.gl.at.ply.gg:26706
SuperBoo_mtex_920393
-
delay
3
-
install
true
-
install_file
ratted.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x000a000000012283-13.dat family_asyncrat -
Executes dropped EXE 1 IoCs
pid Process 536 ratted.exe -
Loads dropped DLL 6 IoCs
pid Process 2612 cmd.exe 300 WerFault.exe 300 WerFault.exe 300 WerFault.exe 300 WerFault.exe 300 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 300 536 WerFault.exe 37 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 988b8d3ae9f2303ee25180c3aba36130N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ratted.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3060 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2716 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2880 988b8d3ae9f2303ee25180c3aba36130N.exe 2880 988b8d3ae9f2303ee25180c3aba36130N.exe 2880 988b8d3ae9f2303ee25180c3aba36130N.exe 2880 988b8d3ae9f2303ee25180c3aba36130N.exe 2880 988b8d3ae9f2303ee25180c3aba36130N.exe 2880 988b8d3ae9f2303ee25180c3aba36130N.exe 2880 988b8d3ae9f2303ee25180c3aba36130N.exe 536 ratted.exe 536 ratted.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2880 988b8d3ae9f2303ee25180c3aba36130N.exe Token: SeDebugPrivilege 536 ratted.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2880 wrote to memory of 2864 2880 988b8d3ae9f2303ee25180c3aba36130N.exe 31 PID 2880 wrote to memory of 2864 2880 988b8d3ae9f2303ee25180c3aba36130N.exe 31 PID 2880 wrote to memory of 2864 2880 988b8d3ae9f2303ee25180c3aba36130N.exe 31 PID 2880 wrote to memory of 2864 2880 988b8d3ae9f2303ee25180c3aba36130N.exe 31 PID 2880 wrote to memory of 2612 2880 988b8d3ae9f2303ee25180c3aba36130N.exe 33 PID 2880 wrote to memory of 2612 2880 988b8d3ae9f2303ee25180c3aba36130N.exe 33 PID 2880 wrote to memory of 2612 2880 988b8d3ae9f2303ee25180c3aba36130N.exe 33 PID 2880 wrote to memory of 2612 2880 988b8d3ae9f2303ee25180c3aba36130N.exe 33 PID 2864 wrote to memory of 2716 2864 cmd.exe 35 PID 2864 wrote to memory of 2716 2864 cmd.exe 35 PID 2864 wrote to memory of 2716 2864 cmd.exe 35 PID 2864 wrote to memory of 2716 2864 cmd.exe 35 PID 2612 wrote to memory of 3060 2612 cmd.exe 36 PID 2612 wrote to memory of 3060 2612 cmd.exe 36 PID 2612 wrote to memory of 3060 2612 cmd.exe 36 PID 2612 wrote to memory of 3060 2612 cmd.exe 36 PID 2612 wrote to memory of 536 2612 cmd.exe 37 PID 2612 wrote to memory of 536 2612 cmd.exe 37 PID 2612 wrote to memory of 536 2612 cmd.exe 37 PID 2612 wrote to memory of 536 2612 cmd.exe 37 PID 536 wrote to memory of 300 536 ratted.exe 38 PID 536 wrote to memory of 300 536 ratted.exe 38 PID 536 wrote to memory of 300 536 ratted.exe 38 PID 536 wrote to memory of 300 536 ratted.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\988b8d3ae9f2303ee25180c3aba36130N.exe"C:\Users\Admin\AppData\Local\Temp\988b8d3ae9f2303ee25180c3aba36130N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ratted" /tr '"C:\Users\Admin\AppData\Roaming\ratted.exe"' & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "ratted" /tr '"C:\Users\Admin\AppData\Roaming\ratted.exe"'3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2716
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp77AF.tmp.bat""2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3060
-
-
C:\Users\Admin\AppData\Roaming\ratted.exe"C:\Users\Admin\AppData\Roaming\ratted.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 5364⤵
- Loads dropped DLL
- Program crash
PID:300
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
150B
MD5e8fc2ab7abbe6531c05993113b7c4574
SHA1dc3c91a5ecbc1af8339437a3cc26e989930f2d58
SHA25671210bf123741ea8a0be02ae2c9ec4791f84243c4ccef9dc54623deffcf8d599
SHA512e9e74c821761e2ee64fb608c6b98014863e4563226035092c5f2e7e0f251345a9d7ddd7a725bcd7cd596ffff874165b55fef684960af0a117397df1e487bf9d5
-
Filesize
60KB
MD5988b8d3ae9f2303ee25180c3aba36130
SHA18b582769709c5c762740631a0aefc7f93f51c1c9
SHA2566ffe8e2aa7ebc17267ea90ddc0449d4f60306befd644adb60a26cbf9690f8ec6
SHA51221e11756a79b13fce2f5df5fca50ad18696fa6eba2b13245afef12d10cd9840761e0e4519e85cee5d5ac3fbac9c8b37aabec1e79e96a913277abc43ba1201832