Analysis
-
max time kernel
149s -
max time network
142s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
11-12-2024 21:53
Behavioral task
behavioral1
Sample
raokfhsjdgfb.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
raokfhsjdgfb.exe
-
Size
47KB
-
MD5
750a92e39718ae101d63a8e6c11ba788
-
SHA1
8619dc026b09a14cd92c8521e700b702ffe25507
-
SHA256
bd1736e672b3766e998c37fae9aaf8e381bc9300538e1533f97f88dc4c706817
-
SHA512
a8c32a3adb01473f10023be9b9757d638ac3006f13ea9c5d4a664a9af0d0a4cebff33ca8dd537d87ba083cb99b4f2f187636d158ec2a1d96e4089354c5648d39
-
SSDEEP
768:kuY69T3kH1jWUvTqRmo2qbz7njNrPaPIlsR10bPHefQB1AL2UWBDZcx:kuY69T34y2gNPlskbP+fzL2Vdcx
Malware Config
Extracted
Family
asyncrat
Version
0.5.8
Botnet
Default
C2
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
weak-onions-tap.loca.lt:6606
weak-onions-tap.loca.lt:7707
weak-onions-tap.loca.lt:8808
Mutex
kal8dl52UUgv
Attributes
-
delay
3
-
install
true
-
install_file
roar.exe
-
install_folder
%AppData%
aes.plain
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x001a00000002ab31-12.dat family_asyncrat -
Executes dropped EXE 1 IoCs
pid Process 4412 roar.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language roar.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language raokfhsjdgfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 780 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3368 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4232 raokfhsjdgfb.exe 4232 raokfhsjdgfb.exe 4232 raokfhsjdgfb.exe 4232 raokfhsjdgfb.exe 4232 raokfhsjdgfb.exe 4232 raokfhsjdgfb.exe 4232 raokfhsjdgfb.exe 4232 raokfhsjdgfb.exe 4232 raokfhsjdgfb.exe 4232 raokfhsjdgfb.exe 4232 raokfhsjdgfb.exe 4232 raokfhsjdgfb.exe 4232 raokfhsjdgfb.exe 4232 raokfhsjdgfb.exe 4232 raokfhsjdgfb.exe 4232 raokfhsjdgfb.exe 4232 raokfhsjdgfb.exe 4232 raokfhsjdgfb.exe 4232 raokfhsjdgfb.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3748 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4232 raokfhsjdgfb.exe Token: SeDebugPrivilege 4412 roar.exe Token: SeDebugPrivilege 3748 taskmgr.exe Token: SeSystemProfilePrivilege 3748 taskmgr.exe Token: SeCreateGlobalPrivilege 3748 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4232 wrote to memory of 3884 4232 raokfhsjdgfb.exe 80 PID 4232 wrote to memory of 3884 4232 raokfhsjdgfb.exe 80 PID 4232 wrote to memory of 3884 4232 raokfhsjdgfb.exe 80 PID 4232 wrote to memory of 4160 4232 raokfhsjdgfb.exe 82 PID 4232 wrote to memory of 4160 4232 raokfhsjdgfb.exe 82 PID 4232 wrote to memory of 4160 4232 raokfhsjdgfb.exe 82 PID 4160 wrote to memory of 780 4160 cmd.exe 84 PID 4160 wrote to memory of 780 4160 cmd.exe 84 PID 4160 wrote to memory of 780 4160 cmd.exe 84 PID 3884 wrote to memory of 3368 3884 cmd.exe 85 PID 3884 wrote to memory of 3368 3884 cmd.exe 85 PID 3884 wrote to memory of 3368 3884 cmd.exe 85 PID 4160 wrote to memory of 4412 4160 cmd.exe 86 PID 4160 wrote to memory of 4412 4160 cmd.exe 86 PID 4160 wrote to memory of 4412 4160 cmd.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\raokfhsjdgfb.exe"C:\Users\Admin\AppData\Local\Temp\raokfhsjdgfb.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "roar" /tr '"C:\Users\Admin\AppData\Roaming\roar.exe"' & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "roar" /tr '"C:\Users\Admin\AppData\Roaming\roar.exe"'3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3368
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9B07.tmp.bat""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:780
-
-
C:\Users\Admin\AppData\Roaming\roar.exe"C:\Users\Admin\AppData\Roaming\roar.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4412
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3748
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148B
MD5d589c8807478ded55614322785d70b82
SHA1d69c0373f76c124028f480a7659cce6a1800036d
SHA256c030c847c0ed637e4aed3502d0d44e5aed9722bf0ac645a7319e534b67229735
SHA512ce3f19193741cf0a7ccf13308eb3a15530c6db3ac8c0981901f8b6bbca936727969f37aba55c38c47cc19ccc7c2fae43c426723cb4e97b50e65e35670ac05b0a
-
Filesize
47KB
MD5750a92e39718ae101d63a8e6c11ba788
SHA18619dc026b09a14cd92c8521e700b702ffe25507
SHA256bd1736e672b3766e998c37fae9aaf8e381bc9300538e1533f97f88dc4c706817
SHA512a8c32a3adb01473f10023be9b9757d638ac3006f13ea9c5d4a664a9af0d0a4cebff33ca8dd537d87ba083cb99b4f2f187636d158ec2a1d96e4089354c5648d39