Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 03:00
Behavioral task
behavioral1
Sample
bro.exe
Resource
win7-20240903-en
General
-
Target
bro.exe
-
Size
47KB
-
MD5
83fc5776b79aad95fecd322f11f80187
-
SHA1
412ccb9ab9e743907eef7be3b47568decefbd15f
-
SHA256
e87744178fba28b505eccbf4847a77f84877a8bd8f50ce17f5f6f68a0ea41327
-
SHA512
1552e626f349c66f7e555326e68d97aa87a4971b6c4b912514f1bfa39036d17c9295e88e0f49c349cac2758974e060535044ea4d09a25f2949f45ab79f0c838b
-
SSDEEP
768:MuY69T3kH1jWUvTqRmo2qbRc4wmDPItjd0axq0bE6zrvtOoqJ/UBDZ0x:MuY69T34y2AwmMtjZHbE6/vgMd0x
Malware Config
Extracted
asyncrat
0.5.8
Default
desktop-ukmnq5d-wasda.at.remote.it:33006
tTT9mCTiJnq9
-
delay
3
-
install
true
-
install_file
roar.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x0039000000018662-13.dat family_asyncrat -
Executes dropped EXE 1 IoCs
pid Process 2612 roar.exe -
Loads dropped DLL 1 IoCs
pid Process 2724 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language roar.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bro.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2372 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1748 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2708 bro.exe 2708 bro.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2708 bro.exe Token: SeDebugPrivilege 2612 roar.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2708 wrote to memory of 2688 2708 bro.exe 30 PID 2708 wrote to memory of 2688 2708 bro.exe 30 PID 2708 wrote to memory of 2688 2708 bro.exe 30 PID 2708 wrote to memory of 2688 2708 bro.exe 30 PID 2708 wrote to memory of 2724 2708 bro.exe 32 PID 2708 wrote to memory of 2724 2708 bro.exe 32 PID 2708 wrote to memory of 2724 2708 bro.exe 32 PID 2708 wrote to memory of 2724 2708 bro.exe 32 PID 2724 wrote to memory of 2372 2724 cmd.exe 35 PID 2724 wrote to memory of 2372 2724 cmd.exe 35 PID 2724 wrote to memory of 2372 2724 cmd.exe 35 PID 2724 wrote to memory of 2372 2724 cmd.exe 35 PID 2688 wrote to memory of 1748 2688 cmd.exe 34 PID 2688 wrote to memory of 1748 2688 cmd.exe 34 PID 2688 wrote to memory of 1748 2688 cmd.exe 34 PID 2688 wrote to memory of 1748 2688 cmd.exe 34 PID 2724 wrote to memory of 2612 2724 cmd.exe 36 PID 2724 wrote to memory of 2612 2724 cmd.exe 36 PID 2724 wrote to memory of 2612 2724 cmd.exe 36 PID 2724 wrote to memory of 2612 2724 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\bro.exe"C:\Users\Admin\AppData\Local\Temp\bro.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "roar" /tr '"C:\Users\Admin\AppData\Roaming\roar.exe"' & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "roar" /tr '"C:\Users\Admin\AppData\Roaming\roar.exe"'3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1748
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpFFF1.tmp.bat""2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2372
-
-
C:\Users\Admin\AppData\Roaming\roar.exe"C:\Users\Admin\AppData\Roaming\roar.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148B
MD520d85b4d92e175f3206eea269e5bf553
SHA153975723b24bcdfe46e7c9736c58d995a099f5dc
SHA2568b956103b8077b2a42b20b14aaa6a4d1335702029565c33d13ea0f0e81c4a961
SHA512c694cea4d9277e7df883b3eed63b663903ab349b34adb10d67bf0d9ccc3342913aa55774eab32ea4d89fbff76ecd33b4d1bf887f5b2ca53e49505370b6856c52
-
Filesize
47KB
MD583fc5776b79aad95fecd322f11f80187
SHA1412ccb9ab9e743907eef7be3b47568decefbd15f
SHA256e87744178fba28b505eccbf4847a77f84877a8bd8f50ce17f5f6f68a0ea41327
SHA5121552e626f349c66f7e555326e68d97aa87a4971b6c4b912514f1bfa39036d17c9295e88e0f49c349cac2758974e060535044ea4d09a25f2949f45ab79f0c838b