Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 16:44
Static task
static1
Behavioral task
behavioral1
Sample
flash/flash.exe
Resource
win7-20240903-en
General
-
Target
flash/flash.exe
-
Size
450KB
-
MD5
669a5b5d993f472a4ab68e4405649fde
-
SHA1
56332c906d54312d99e71c649cbd7fe1e0639c83
-
SHA256
29372ef20086423e80fecb84a9ad7980f781433772c6d05f3134037ab819badc
-
SHA512
46012e73b835372c0c9f424c8afeb8cf2b29a8c03023d6265534da55f310c2cdd682590deafe065430980d9608733db5da65f59d7dc650f7347408b31a8e7ae8
-
SSDEEP
12288:Ih1Lk70TnvjcbqPOdpMFgclmThae2zsWFBjlSc+n:Uk70Trce2d4JKUsWLlP6
Malware Config
Extracted
asyncrat
Link-Quit
Default
info.ctxcel.com:443
DcRatMutex_qwqdanchun
-
delay
1
-
install
true
-
install_file
server.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/memory/1956-16-0x0000000005070000-0x0000000005086000-memory.dmp family_asyncrat -
Executes dropped EXE 1 IoCs
pid Process 2720 server.exe -
Loads dropped DLL 1 IoCs
pid Process 2760 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flash.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2728 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2748 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1956 flash.exe 1956 flash.exe 1956 flash.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1956 flash.exe Token: SeDebugPrivilege 1956 flash.exe Token: SeDebugPrivilege 2720 server.exe Token: SeDebugPrivilege 2720 server.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1956 wrote to memory of 1628 1956 flash.exe 30 PID 1956 wrote to memory of 1628 1956 flash.exe 30 PID 1956 wrote to memory of 1628 1956 flash.exe 30 PID 1956 wrote to memory of 1628 1956 flash.exe 30 PID 1956 wrote to memory of 2760 1956 flash.exe 32 PID 1956 wrote to memory of 2760 1956 flash.exe 32 PID 1956 wrote to memory of 2760 1956 flash.exe 32 PID 1956 wrote to memory of 2760 1956 flash.exe 32 PID 1628 wrote to memory of 2748 1628 cmd.exe 34 PID 1628 wrote to memory of 2748 1628 cmd.exe 34 PID 1628 wrote to memory of 2748 1628 cmd.exe 34 PID 1628 wrote to memory of 2748 1628 cmd.exe 34 PID 2760 wrote to memory of 2728 2760 cmd.exe 35 PID 2760 wrote to memory of 2728 2760 cmd.exe 35 PID 2760 wrote to memory of 2728 2760 cmd.exe 35 PID 2760 wrote to memory of 2728 2760 cmd.exe 35 PID 2760 wrote to memory of 2720 2760 cmd.exe 36 PID 2760 wrote to memory of 2720 2760 cmd.exe 36 PID 2760 wrote to memory of 2720 2760 cmd.exe 36 PID 2760 wrote to memory of 2720 2760 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\flash\flash.exe"C:\Users\Admin\AppData\Local\Temp\flash\flash.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "server" /tr '"C:\Users\Admin\AppData\Roaming\server.exe"' & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "server" /tr '"C:\Users\Admin\AppData\Roaming\server.exe"'3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2748
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB339.tmp.bat""2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2728
-
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
150B
MD5a3e53f26966121b08584a8d0b1459eca
SHA100d96abf87e184befb6a6d95d80b1b75b9b68e7a
SHA25661ce3ffbf561e52401baf76f9a73b69e81cb5ed12cb9818053b46d1983ef13c7
SHA512d59e5178f5de7c41f13c6af603d46f50f26e7ef7a04b688eb9ed0a6ec13cb2e9004b848b15ef9e37c3c09cc04e268bc290a538aefbece3be941871de1100efd2
-
Filesize
450KB
MD5669a5b5d993f472a4ab68e4405649fde
SHA156332c906d54312d99e71c649cbd7fe1e0639c83
SHA25629372ef20086423e80fecb84a9ad7980f781433772c6d05f3134037ab819badc
SHA51246012e73b835372c0c9f424c8afeb8cf2b29a8c03023d6265534da55f310c2cdd682590deafe065430980d9608733db5da65f59d7dc650f7347408b31a8e7ae8