Overview

overview

10

Static

static

10

Project Buu.rar

windows7-x64

10

Project Buu.rar

windows10-2004-x64

10

Project Bu...es.exe

windows7-x64

10

Project Bu...es.exe

windows10-2004-x64

10

Project Bu...Buu.py

windows7-x64

3

Project Bu...Buu.py

windows10-2004-x64

3

Project Buu/READ.txt

windows7-x64

1

Project Buu/READ.txt

windows10-2004-x64

3

Analysis

  • max time kernel
    1562s
  • max time network
    1563s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2024 06:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Project Buu/Dependencies/Dependencies.exe

  • Size

    63KB

  • MD5

    97be07e4d8fa640d71aa049385d8bcc2

  • SHA1

    cd21b0a98183abe177ce6b1a857f9b4166100b4d

  • SHA256

    df4e19980ecdf58f0a6562bad1e4929e30e21f4b3633f9f33ad4b86a5406ee31

  • SHA512

    23e6b9ea22b2dead07d5b6baf076afcf747e8ba02df9afbc81ca3011f91035cf6d385c5a9dd5ae63fe6f95010ab928379baf4d55cbb04c4bbdcf246689e52cd4

  • SSDEEP

    768:b2yVjLFj7778BIC8A+XkaazcBRL5JTk1+T4KSBGHmDbD/ph0oX2f2/F5qVKGVxSD:jJ7TPdSJYUbdh9GMMKGOuodpqKmY7

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

79.110.49.58:3232

Attributes
  • delay

    1

  • install

    true

  • install_file

    Windows Security .exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Project Buu\Dependencies\Dependencies.exe
    "C:\Users\Admin\AppData\Local\Temp\Project Buu\Dependencies\Dependencies.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Security " /tr '"C:\Users\Admin\AppData\Roaming\Windows Security .exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2184
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "Windows Security " /tr '"C:\Users\Admin\AppData\Roaming\Windows Security .exe"'
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2380
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC9E4.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1648
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:2232
      • C:\Users\Admin\AppData\Roaming\Windows Security .exe
        "C:\Users\Admin\AppData\Roaming\Windows Security .exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2840
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Security "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2916
          • C:\Windows\system32\schtasks.exe
            schtasks /delete /f /tn "Windows Security "
            5⤵
              PID:1308
          • C:\Windows\system32\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3886.tmp.bat""
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1608
            • C:\Windows\system32\timeout.exe
              timeout 3
              5⤵
              • Delays execution with timeout.exe
              PID:540

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\CabF578.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar35F4.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp3886.tmp.bat
      Filesize

      166B

      MD5

      df2d335278f1ed87882f697dc81348e1

      SHA1

      4ee443d72fa490a2ab04eb3d5af686f38dce74d2

      SHA256

      5cf3bc7331af21ec2b476abd9b66f1118ea0f038420f0c7e196d70e724cffc86

      SHA512

      09de57579c2a4d813efa7e8b6bda6c93ecea3b72a5746f9cf488585ece0723ca57e48026a45b24207366d6a7cf0834811298d7aa8a172d96995bfe95d6177732

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpC9E4.tmp.bat
      Filesize

      161B

      MD5

      c790e052f92183987e3ffe899b1f7966

      SHA1

      d057af4336e688bfaadff5ab97e3d7b4bf29350a

      SHA256

      ee9f031ec9d69e3c0682ea1a0235bb0f625cdb64657f6028c510e408bab5eeb1

      SHA512

      7ab5e6e6924cf0056f36357fb697dae4f5e227c619aece8997af04f8bf5ea063355719ab86c273f69f5dcdc9f1cb1841d0caef95b073857a4c2d54bd89b39105

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Windows Security .exe
      Filesize

      63KB

      MD5

      97be07e4d8fa640d71aa049385d8bcc2

      SHA1

      cd21b0a98183abe177ce6b1a857f9b4166100b4d

      SHA256

      df4e19980ecdf58f0a6562bad1e4929e30e21f4b3633f9f33ad4b86a5406ee31

      SHA512

      23e6b9ea22b2dead07d5b6baf076afcf747e8ba02df9afbc81ca3011f91035cf6d385c5a9dd5ae63fe6f95010ab928379baf4d55cbb04c4bbdcf246689e52cd4

      Download Submit

    • memory/2148-0-0x000007FEF55B3000-0x000007FEF55B4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2148-1-0x0000000000E10000-0x0000000000E26000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2148-2-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2148-3-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2148-13-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2840-17-0x0000000001250000-0x0000000001266000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2840-35-0x00000000006C0000-0x0000000000772000-memory.dmp

      Filesize

      712KB

      Download