Analysis
-
max time kernel
26s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
16-12-2024 15:14
General
-
Target
Client.exe
-
Size
74KB
-
MD5
6d047d603a107c3193aef35717af7b6f
-
SHA1
32034f120ac1c1132e137ddba1e6220aacb702a2
-
SHA256
ea3c775091e46699351431b25485fae1526c063a3b1be543cdc1c5c4ee397d92
-
SHA512
00ea5f0686d40dbae3958cb67324fdf8c0f1d493af497b84d0989437c14166e10ffae370f62d8c0eeb929e9ca65aa20ffcc815b8d585a9b2f53c062b04cd2639
-
SSDEEP
1536:9UOgcxLVNCBWPMVWe9VdQuDI6H1bf/4VAQzcmLVclN:9UfcxLfaWPMVWe9VdQsH1bfgeQ/BY
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
127.0.0.1:4449
bgflrgweuset
-
delay
1
-
install
true
-
install_file
defender.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x001e00000002aa82-12.dat family_asyncrat -
Executes dropped EXE 1 IoCs
pid Process 2932 defender.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 4128 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3556 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 4880 Client.exe 4880 Client.exe 4880 Client.exe 4880 Client.exe 4880 Client.exe 4880 Client.exe 4880 Client.exe 4880 Client.exe 4880 Client.exe 4880 Client.exe 4880 Client.exe 4880 Client.exe 4880 Client.exe 4880 Client.exe 4880 Client.exe 4880 Client.exe 4880 Client.exe 2932 defender.exe 2932 defender.exe 2932 defender.exe 2932 defender.exe 2932 defender.exe 2932 defender.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4880 Client.exe Token: SeDebugPrivilege 2932 defender.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2932 defender.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4880 wrote to memory of 72 4880 Client.exe 77 PID 4880 wrote to memory of 72 4880 Client.exe 77 PID 4880 wrote to memory of 4256 4880 Client.exe 78 PID 4880 wrote to memory of 4256 4880 Client.exe 78 PID 4256 wrote to memory of 4128 4256 cmd.exe 81 PID 4256 wrote to memory of 4128 4256 cmd.exe 81 PID 72 wrote to memory of 3556 72 cmd.exe 82 PID 72 wrote to memory of 3556 72 cmd.exe 82 PID 4256 wrote to memory of 2932 4256 cmd.exe 83 PID 4256 wrote to memory of 2932 4256 cmd.exe 83 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "defender" /tr '"C:\Users\Admin\AppData\Roaming\defender.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:72 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "defender" /tr '"C:\Users\Admin\AppData\Roaming\defender.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:3556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA27A.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:4128
-
-
C:\Users\Admin\AppData\Roaming\defender.exe"C:\Users\Admin\AppData\Roaming\defender.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2932
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5a8d61d9b03a230170d40b85c8b63b6a5
SHA1cb141c3af5385b8beaab19d9362745e36a33a0d9
SHA2561b6f16bfc9e04753a0fca611beb92e06c709c8ac7ef0c28810dab2d15ca49f54
SHA51289ed3701d12acb6193a1a9c052ada0cdeb28c767a937ad283d0fc77716976deefa0a5d104a0e238410fed841f8aa78c7feb61e63623e62d8688d84255e1ba5fe
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
Filesize
74KB
MD56d047d603a107c3193aef35717af7b6f
SHA132034f120ac1c1132e137ddba1e6220aacb702a2
SHA256ea3c775091e46699351431b25485fae1526c063a3b1be543cdc1c5c4ee397d92
SHA51200ea5f0686d40dbae3958cb67324fdf8c0f1d493af497b84d0989437c14166e10ffae370f62d8c0eeb929e9ca65aa20ffcc815b8d585a9b2f53c062b04cd2639