Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
28-09-2024 04:50
Static task
static1
Behavioral task
behavioral1
Sample
First.exe
Resource
win7-20240708-en
General
-
Target
First.exe
-
Size
21KB
-
MD5
c1d6e0a7cb5f59781fe6fb8e28b9c3e6
-
SHA1
ea12f2eb7216851d488b694c3ed72040e236b67c
-
SHA256
3daacb3f869e6a293c943fe782d480129c831c6aeeca408e17dd7ba5255e3983
-
SHA512
fb8d04c043077b9908baf5913356c55c91944d0c452ece8716327f996b504fa7cd9d6104668069055c6b8285b1df2af5892f18c8e59c11cb4b9fc74e7d5d54a2
-
SSDEEP
384:IDRQmNZSqPDyqXVQmXNQltXpQyXlQx/uoOQtGQmXE9RrA5SX7jd2Szli5lG7NqPa:Za32tzclrVLjdbi5lGMVA3g
Malware Config
Extracted
asyncrat
0.5.8
Default
127.0.0.1:7777
45.137.198.159:7777
pgUcrHSbq2HY
-
delay
3
-
install
true
-
install_file
123987.exe
-
install_folder
%AppData%
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" First.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection First.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" First.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" First.exe -
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x00070000000187c0-19.dat family_asyncrat -
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 1688 Main.exe 2916 123987.exe -
Loads dropped DLL 1 IoCs
pid Process 2072 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 123987.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Main.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 648 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2152 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1688 Main.exe 1688 Main.exe 1688 Main.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1688 Main.exe Token: SeDebugPrivilege 2916 123987.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2712 wrote to memory of 1688 2712 First.exe 31 PID 2712 wrote to memory of 1688 2712 First.exe 31 PID 2712 wrote to memory of 1688 2712 First.exe 31 PID 2712 wrote to memory of 1688 2712 First.exe 31 PID 1688 wrote to memory of 1116 1688 Main.exe 32 PID 1688 wrote to memory of 1116 1688 Main.exe 32 PID 1688 wrote to memory of 1116 1688 Main.exe 32 PID 1688 wrote to memory of 1116 1688 Main.exe 32 PID 1688 wrote to memory of 2072 1688 Main.exe 34 PID 1688 wrote to memory of 2072 1688 Main.exe 34 PID 1688 wrote to memory of 2072 1688 Main.exe 34 PID 1688 wrote to memory of 2072 1688 Main.exe 34 PID 2072 wrote to memory of 648 2072 cmd.exe 36 PID 2072 wrote to memory of 648 2072 cmd.exe 36 PID 2072 wrote to memory of 648 2072 cmd.exe 36 PID 2072 wrote to memory of 648 2072 cmd.exe 36 PID 1116 wrote to memory of 2152 1116 cmd.exe 37 PID 1116 wrote to memory of 2152 1116 cmd.exe 37 PID 1116 wrote to memory of 2152 1116 cmd.exe 37 PID 1116 wrote to memory of 2152 1116 cmd.exe 37 PID 2072 wrote to memory of 2916 2072 cmd.exe 38 PID 2072 wrote to memory of 2916 2072 cmd.exe 38 PID 2072 wrote to memory of 2916 2072 cmd.exe 38 PID 2072 wrote to memory of 2916 2072 cmd.exe 38 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer First.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" First.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System First.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableSettingsPage = "1" First.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\First.exe"C:\Users\Admin\AppData\Local\Temp\First.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2712 -
C:\Users\Admin\AppData\Roaming\Main.exe"C:\Users\Admin\AppData\Roaming\Main.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "123987" /tr '"C:\Users\Admin\AppData\Roaming\123987.exe"' & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "123987" /tr '"C:\Users\Admin\AppData\Roaming\123987.exe"'4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2152
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1880.tmp.bat""3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:648
-
-
C:\Users\Admin\AppData\Roaming\123987.exe"C:\Users\Admin\AppData\Roaming\123987.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
150B
MD59c6442b8f7a4cc2e127afd212dd2448a
SHA17a9055be7ec3e3eac1b11a109739a73bb853af60
SHA25635ed2cffed05cf160249a76bb906eb50eb907d966f30d15e043ccb602f488789
SHA5126629a9363c54d86b816b6221e3730b44eef00092d8ccbba3b43ba2b6b1333a88119c667af8b1113aca5a250a9be6f9dbfabc69c5cb2fbdfe0a2ceeaf0b7c2674
-
Filesize
45KB
MD5ec18d00e2e6081e86545a04c9cb4f574
SHA1469de216b8b68cef615921cfe3bcf3464ca2b4fa
SHA2566718034ff0bb979bfe7e73baad3eecf86e43ce1edf22d357143d6077eb882b71
SHA512950c8c81cddca030958fc9ec8a9f09239a56c0965aa3d89512c6baf427ad650332aedca0cc792927ae6dbdf98c42710fb5f7d41f6b43a7a6b2ddf3fcd3105cd6