Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-10-2024 20:36
Behavioral task
behavioral1
Sample
1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.exe
Resource
win7-20241010-en
General
-
Target
1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.exe
-
Size
47KB
-
MD5
70c599d7fea4b5a29f7adae785ce9bf1
-
SHA1
46c508df2a683eb0b2b507badc214f8e6bf13b6a
-
SHA256
1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a
-
SHA512
356a917c7e44a12f6a97551f907cfbd5b693ae19c7cdcb590c1691f0d4443bb3c5f56a246f5a1186ce3b6eaf5ce059047a95b3dfa2d925f470877873d4c2a09e
-
SSDEEP
768:xu6XdTvER+SWUk6P4mo2qbrtM2KOB4Jrd0PImLzzJs9D0bHrMgIvjzKxFojwQBDo:xu6XdTv2S2EtCdd5Uzz7bHrCKxa0GdMx
Malware Config
Extracted
asyncrat
0.5.8
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
WHXr1NLnlupn
-
delay
3
-
install
true
-
install_file
poop.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\poop.exe family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.exe -
Executes dropped EXE 1 IoCs
Processes:
poop.exepid process 3968 poop.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.execmd.execmd.exetimeout.exeschtasks.exepoop.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language poop.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1140 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.exepid process 3080 1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.exe 3080 1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.exe 3080 1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.exe 3080 1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.exe 3080 1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.exe 3080 1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.exe 3080 1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.exe 3080 1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.exe 3080 1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.exe 3080 1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.exe 3080 1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.exe 3080 1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.exe 3080 1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.exe 3080 1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.exe 3080 1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.exe 3080 1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.exe 3080 1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.exe 3080 1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.exe 3080 1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.exe 3080 1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.exe 3080 1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.exe 3080 1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.exe 3080 1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.exepoop.exedescription pid process Token: SeDebugPrivilege 3080 1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.exe Token: SeDebugPrivilege 3968 poop.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.execmd.execmd.exedescription pid process target process PID 3080 wrote to memory of 4068 3080 1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.exe cmd.exe PID 3080 wrote to memory of 4068 3080 1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.exe cmd.exe PID 3080 wrote to memory of 4068 3080 1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.exe cmd.exe PID 3080 wrote to memory of 1956 3080 1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.exe cmd.exe PID 3080 wrote to memory of 1956 3080 1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.exe cmd.exe PID 3080 wrote to memory of 1956 3080 1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.exe cmd.exe PID 1956 wrote to memory of 1140 1956 cmd.exe timeout.exe PID 1956 wrote to memory of 1140 1956 cmd.exe timeout.exe PID 1956 wrote to memory of 1140 1956 cmd.exe timeout.exe PID 4068 wrote to memory of 4672 4068 cmd.exe schtasks.exe PID 4068 wrote to memory of 4672 4068 cmd.exe schtasks.exe PID 4068 wrote to memory of 4672 4068 cmd.exe schtasks.exe PID 1956 wrote to memory of 3968 1956 cmd.exe poop.exe PID 1956 wrote to memory of 3968 1956 cmd.exe poop.exe PID 1956 wrote to memory of 3968 1956 cmd.exe poop.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.exe"C:\Users\Admin\AppData\Local\Temp\1dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "poop" /tr '"C:\Users\Admin\AppData\Roaming\poop.exe"' & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "poop" /tr '"C:\Users\Admin\AppData\Roaming\poop.exe"'3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4672 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp86D3.tmp.bat""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1140 -
C:\Users\Admin\AppData\Roaming\poop.exe"C:\Users\Admin\AppData\Roaming\poop.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3968
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148B
MD5403eb90ca2b64b0ffff8789e2a881b03
SHA1b4edaaf248cbafe2a47c1d89283800e98284cdcf
SHA2562b192d7b3f5b655fafc6a8e012863a8c47c4a13b89a1bdaa26cb7104b7fa6742
SHA512aa4f404bad74a466f231a000bb44e2b64671c61229f7f3cdf32b22b8eae64a7ff202cb9cbeaba827cebce1eb4f0305cc415ab15008d076608d4659a4b0075b1c
-
Filesize
47KB
MD570c599d7fea4b5a29f7adae785ce9bf1
SHA146c508df2a683eb0b2b507badc214f8e6bf13b6a
SHA2561dc3e04c25cce7028ef9f5b645dfa6cc113c8bb3bc92aeb7d8ecf547ce12579a
SHA512356a917c7e44a12f6a97551f907cfbd5b693ae19c7cdcb590c1691f0d4443bb3c5f56a246f5a1186ce3b6eaf5ce059047a95b3dfa2d925f470877873d4c2a09e