Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 04:11
Behavioral task
behavioral1
Sample
a72a243ca862f09c197a135b15cc3081b7635cb1c78bb7f92daa932b78754b06.exe
Resource
win7-20240903-en
General
-
Target
a72a243ca862f09c197a135b15cc3081b7635cb1c78bb7f92daa932b78754b06.exe
-
Size
51KB
-
MD5
7bc2e6b25bfafe16708196e844dc1476
-
SHA1
4689ebd58df0eaa8f21191f1e0aae0259a2a7497
-
SHA256
a72a243ca862f09c197a135b15cc3081b7635cb1c78bb7f92daa932b78754b06
-
SHA512
aef4619973c3d71ce6eda4f4c1d4be2dcd88fceaf48bf2b4efde7c762d3ac45a3d4900b33aea04dfbd40079a279efd7ea2505056f0828cdb364ee478627e9e6a
-
SSDEEP
1536:Wuir1TUKP2nwcvaOgnQtobdZ/CyiUdF2:WuiJTUKP2rS3n5bd/j2
Malware Config
Extracted
asyncrat
0.5.8
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
8TdjLZxCzOjI
-
delay
3
-
install
true
-
install_file
client.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x0004000000004ed7-13.dat family_asyncrat -
Executes dropped EXE 1 IoCs
pid Process 2228 client.exe -
Loads dropped DLL 1 IoCs
pid Process 2652 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a72a243ca862f09c197a135b15cc3081b7635cb1c78bb7f92daa932b78754b06.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language client.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2788 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2768 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1940 a72a243ca862f09c197a135b15cc3081b7635cb1c78bb7f92daa932b78754b06.exe 1940 a72a243ca862f09c197a135b15cc3081b7635cb1c78bb7f92daa932b78754b06.exe 1940 a72a243ca862f09c197a135b15cc3081b7635cb1c78bb7f92daa932b78754b06.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1940 a72a243ca862f09c197a135b15cc3081b7635cb1c78bb7f92daa932b78754b06.exe Token: SeDebugPrivilege 2228 client.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1940 wrote to memory of 2840 1940 a72a243ca862f09c197a135b15cc3081b7635cb1c78bb7f92daa932b78754b06.exe 31 PID 1940 wrote to memory of 2840 1940 a72a243ca862f09c197a135b15cc3081b7635cb1c78bb7f92daa932b78754b06.exe 31 PID 1940 wrote to memory of 2840 1940 a72a243ca862f09c197a135b15cc3081b7635cb1c78bb7f92daa932b78754b06.exe 31 PID 1940 wrote to memory of 2840 1940 a72a243ca862f09c197a135b15cc3081b7635cb1c78bb7f92daa932b78754b06.exe 31 PID 1940 wrote to memory of 2652 1940 a72a243ca862f09c197a135b15cc3081b7635cb1c78bb7f92daa932b78754b06.exe 33 PID 1940 wrote to memory of 2652 1940 a72a243ca862f09c197a135b15cc3081b7635cb1c78bb7f92daa932b78754b06.exe 33 PID 1940 wrote to memory of 2652 1940 a72a243ca862f09c197a135b15cc3081b7635cb1c78bb7f92daa932b78754b06.exe 33 PID 1940 wrote to memory of 2652 1940 a72a243ca862f09c197a135b15cc3081b7635cb1c78bb7f92daa932b78754b06.exe 33 PID 2652 wrote to memory of 2788 2652 cmd.exe 36 PID 2652 wrote to memory of 2788 2652 cmd.exe 36 PID 2652 wrote to memory of 2788 2652 cmd.exe 36 PID 2652 wrote to memory of 2788 2652 cmd.exe 36 PID 2840 wrote to memory of 2768 2840 cmd.exe 35 PID 2840 wrote to memory of 2768 2840 cmd.exe 35 PID 2840 wrote to memory of 2768 2840 cmd.exe 35 PID 2840 wrote to memory of 2768 2840 cmd.exe 35 PID 2652 wrote to memory of 2228 2652 cmd.exe 37 PID 2652 wrote to memory of 2228 2652 cmd.exe 37 PID 2652 wrote to memory of 2228 2652 cmd.exe 37 PID 2652 wrote to memory of 2228 2652 cmd.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\a72a243ca862f09c197a135b15cc3081b7635cb1c78bb7f92daa932b78754b06.exe"C:\Users\Admin\AppData\Local\Temp\a72a243ca862f09c197a135b15cc3081b7635cb1c78bb7f92daa932b78754b06.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "client" /tr '"C:\Users\Admin\AppData\Roaming\client.exe"' & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "client" /tr '"C:\Users\Admin\AppData\Roaming\client.exe"'3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2768
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF289.tmp.bat""2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2788
-
-
C:\Users\Admin\AppData\Roaming\client.exe"C:\Users\Admin\AppData\Roaming\client.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
150B
MD5cd8eab0d02823eed651fd2ff46e1308c
SHA1cf8a4134e0acecd574ffc66dbe35a8853c447bbd
SHA2562cb62af13b770fa2a855fdab436e16371381306995482ad41bb1378a1257e7b6
SHA512258d9177af0bdeb7387e9ecd71588aeb4950fc8ca93dce5ee8fecd09f92589a3e6da2c00d3c5f3471942f9e6272163f205342dde98e7ebc0bf9987f98b53238f
-
Filesize
51KB
MD57bc2e6b25bfafe16708196e844dc1476
SHA14689ebd58df0eaa8f21191f1e0aae0259a2a7497
SHA256a72a243ca862f09c197a135b15cc3081b7635cb1c78bb7f92daa932b78754b06
SHA512aef4619973c3d71ce6eda4f4c1d4be2dcd88fceaf48bf2b4efde7c762d3ac45a3d4900b33aea04dfbd40079a279efd7ea2505056f0828cdb364ee478627e9e6a