Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 03:00
Behavioral task
behavioral1
Sample
roaricle.exe
Resource
win7-20240903-en
General
-
Target
roaricle.exe
-
Size
63KB
-
MD5
9f39043be09533636bbfdd4ec3101f6a
-
SHA1
1e964ba2a874c24a5fdc430c827a1ba82dc657ab
-
SHA256
179027517e90f9e8173f63ba247d7c0d414259fdef3a29a5692c85d84dce557d
-
SHA512
09c0573e2f4db331714d86d32abf9623b5a9560c1e7ac8359a0ef434cc79940143e837a2674aa5140b79e1b1302faf75df9959d184109aad231db78a90139233
-
SSDEEP
1536:PJxFz3FI8Cwof4wJ6Vfh2MBPG2bPw0mQCfhGxZVclN:PJxFz3FI8Cwo7J6VJL1G2bPTCfwzY
Malware Config
Extracted
asyncrat
1.0.7
Default
fojeweb571-45302.portmap.host:4782
fojeweb571-45302.portmap.host:45302
DcRatMutex_qwqdanchun
-
delay
1
-
install
true
-
install_file
windows defender firewall.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x0008000000023cb1-11.dat family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation roaricle.exe -
Executes dropped EXE 1 IoCs
pid Process 2524 windows defender firewall.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 1496 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2484 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 1056 roaricle.exe 1056 roaricle.exe 1056 roaricle.exe 1056 roaricle.exe 1056 roaricle.exe 1056 roaricle.exe 1056 roaricle.exe 1056 roaricle.exe 1056 roaricle.exe 1056 roaricle.exe 1056 roaricle.exe 1056 roaricle.exe 1056 roaricle.exe 1056 roaricle.exe 1056 roaricle.exe 1056 roaricle.exe 1056 roaricle.exe 1056 roaricle.exe 1056 roaricle.exe 1056 roaricle.exe 1056 roaricle.exe 1056 roaricle.exe 1056 roaricle.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1056 roaricle.exe Token: SeDebugPrivilege 2524 windows defender firewall.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1056 wrote to memory of 1416 1056 roaricle.exe 83 PID 1056 wrote to memory of 1416 1056 roaricle.exe 83 PID 1056 wrote to memory of 4144 1056 roaricle.exe 85 PID 1056 wrote to memory of 4144 1056 roaricle.exe 85 PID 4144 wrote to memory of 1496 4144 cmd.exe 88 PID 4144 wrote to memory of 1496 4144 cmd.exe 88 PID 1416 wrote to memory of 2484 1416 cmd.exe 87 PID 1416 wrote to memory of 2484 1416 cmd.exe 87 PID 4144 wrote to memory of 2524 4144 cmd.exe 90 PID 4144 wrote to memory of 2524 4144 cmd.exe 90 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\roaricle.exe"C:\Users\Admin\AppData\Local\Temp\roaricle.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windows defender firewall" /tr '"C:\Users\Admin\AppData\Roaming\windows defender firewall.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "windows defender firewall" /tr '"C:\Users\Admin\AppData\Roaming\windows defender firewall.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:2484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB4E8.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:1496
-
-
C:\Users\Admin\AppData\Roaming\windows defender firewall.exe"C:\Users\Admin\AppData\Roaming\windows defender firewall.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2524
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169B
MD51584e10c4f1435ef7300f176e4a81515
SHA18505263610fe9f68f72ceae402bb1eef77d1f682
SHA25650d93a9fe0c12d02fc6f135da92189ab804b7d9aa22ff65a011ce588fb399c5c
SHA51237c701bd64f53d56f7367d53d2eb2388ca046f779ba01f449f55afbf19dab474424d852771e85cd668789396c8f5ac518bc2f916ed2bbff952da0f17c080fcd0
-
Filesize
63KB
MD59f39043be09533636bbfdd4ec3101f6a
SHA11e964ba2a874c24a5fdc430c827a1ba82dc657ab
SHA256179027517e90f9e8173f63ba247d7c0d414259fdef3a29a5692c85d84dce557d
SHA51209c0573e2f4db331714d86d32abf9623b5a9560c1e7ac8359a0ef434cc79940143e837a2674aa5140b79e1b1302faf75df9959d184109aad231db78a90139233