Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 16:44
Static task
static1
Behavioral task
behavioral1
Sample
flash/flash.exe
Resource
win7-20240903-en
General
-
Target
flash/flash.exe
-
Size
450KB
-
MD5
669a5b5d993f472a4ab68e4405649fde
-
SHA1
56332c906d54312d99e71c649cbd7fe1e0639c83
-
SHA256
29372ef20086423e80fecb84a9ad7980f781433772c6d05f3134037ab819badc
-
SHA512
46012e73b835372c0c9f424c8afeb8cf2b29a8c03023d6265534da55f310c2cdd682590deafe065430980d9608733db5da65f59d7dc650f7347408b31a8e7ae8
-
SSDEEP
12288:Ih1Lk70TnvjcbqPOdpMFgclmThae2zsWFBjlSc+n:Uk70Trce2d4JKUsWLlP6
Malware Config
Extracted
asyncrat
Link-Quit
Default
info.ctxcel.com:443
DcRatMutex_qwqdanchun
-
delay
1
-
install
true
-
install_file
server.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/324-16-0x0000000004D20000-0x0000000004D36000-memory.dmp family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation flash.exe -
Executes dropped EXE 1 IoCs
pid Process 1968 server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flash.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 628 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4512 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 324 flash.exe 324 flash.exe 324 flash.exe 324 flash.exe 324 flash.exe 324 flash.exe 324 flash.exe 324 flash.exe 324 flash.exe 324 flash.exe 324 flash.exe 324 flash.exe 324 flash.exe 324 flash.exe 324 flash.exe 324 flash.exe 324 flash.exe 324 flash.exe 324 flash.exe 324 flash.exe 324 flash.exe 324 flash.exe 324 flash.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 324 flash.exe Token: SeDebugPrivilege 324 flash.exe Token: SeDebugPrivilege 1968 server.exe Token: SeDebugPrivilege 1968 server.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 324 wrote to memory of 4216 324 flash.exe 82 PID 324 wrote to memory of 4216 324 flash.exe 82 PID 324 wrote to memory of 4216 324 flash.exe 82 PID 324 wrote to memory of 2680 324 flash.exe 84 PID 324 wrote to memory of 2680 324 flash.exe 84 PID 324 wrote to memory of 2680 324 flash.exe 84 PID 2680 wrote to memory of 628 2680 cmd.exe 86 PID 2680 wrote to memory of 628 2680 cmd.exe 86 PID 2680 wrote to memory of 628 2680 cmd.exe 86 PID 4216 wrote to memory of 4512 4216 cmd.exe 87 PID 4216 wrote to memory of 4512 4216 cmd.exe 87 PID 4216 wrote to memory of 4512 4216 cmd.exe 87 PID 2680 wrote to memory of 1968 2680 cmd.exe 88 PID 2680 wrote to memory of 1968 2680 cmd.exe 88 PID 2680 wrote to memory of 1968 2680 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\flash\flash.exe"C:\Users\Admin\AppData\Local\Temp\flash\flash.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "server" /tr '"C:\Users\Admin\AppData\Roaming\server.exe"' & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "server" /tr '"C:\Users\Admin\AppData\Roaming\server.exe"'3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4512
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6AC0.tmp.bat""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:628
-
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
150B
MD5636b72d03dbe7fb6595a3ef7dcf73fed
SHA172a1ec90b4b8bf4a7a62a6c3cf89b4dd6ac23b4b
SHA2566d78b60dab560c6cd609e27a570c2193374906eb1dfd96b18e7d4d2291fd5f25
SHA5129bb79752c93df68e9320d25834f818c68cf8cedbf4503501aaf36b10855b3e1b92b96a9bb83bef2aabbbd4e62f89b4cd6dd6216335ef35260b7589885a553093
-
Filesize
450KB
MD5669a5b5d993f472a4ab68e4405649fde
SHA156332c906d54312d99e71c649cbd7fe1e0639c83
SHA25629372ef20086423e80fecb84a9ad7980f781433772c6d05f3134037ab819badc
SHA51246012e73b835372c0c9f424c8afeb8cf2b29a8c03023d6265534da55f310c2cdd682590deafe065430980d9608733db5da65f59d7dc650f7347408b31a8e7ae8