Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 10:25
Static task
static1
Behavioral task
behavioral1
Sample
563dd94590408df258e1b8364870432b47eb85eac99ee57d252114a726c863f3.exe
Resource
win7-20241010-en
General
-
Target
563dd94590408df258e1b8364870432b47eb85eac99ee57d252114a726c863f3.exe
-
Size
2.9MB
-
MD5
cb6633f84d025274ebfba538e8d1c372
-
SHA1
098dd07b8ec18dbe2b8f957307aa344c690af16d
-
SHA256
563dd94590408df258e1b8364870432b47eb85eac99ee57d252114a726c863f3
-
SHA512
c94789933c37c0c2c746b42dae70f0b387e42972b7468c257d58f35327e9e5e46b72fbf893a369cb6cc87de6a88f56307815b1db420959ce4aa65e07aceddb6c
-
SSDEEP
49152:3secMhf75LxU9wBUcIlKSeY36ZUdEcA5w5FeIY0gHGf8GlFSI4v1YojKr:cDMLEwBUVcx5UGdw5FeI1xf8GTSI4e
Malware Config
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x0008000000023ca5-21.dat family_asyncrat -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 563dd94590408df258e1b8364870432b47eb85eac99ee57d252114a726c863f3.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation Runtime Broker.exe -
Executes dropped EXE 3 IoCs
pid Process 4612 MiniMailViewer.exe 4824 Runtime Broker.exe 4216 Runtime Broker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Runtime Broker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MiniMailViewer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Runtime Broker.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3324 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1744 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4824 Runtime Broker.exe Token: SeDebugPrivilege 4216 Runtime Broker.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2248 wrote to memory of 4612 2248 563dd94590408df258e1b8364870432b47eb85eac99ee57d252114a726c863f3.exe 83 PID 2248 wrote to memory of 4612 2248 563dd94590408df258e1b8364870432b47eb85eac99ee57d252114a726c863f3.exe 83 PID 2248 wrote to memory of 4612 2248 563dd94590408df258e1b8364870432b47eb85eac99ee57d252114a726c863f3.exe 83 PID 2248 wrote to memory of 4824 2248 563dd94590408df258e1b8364870432b47eb85eac99ee57d252114a726c863f3.exe 84 PID 2248 wrote to memory of 4824 2248 563dd94590408df258e1b8364870432b47eb85eac99ee57d252114a726c863f3.exe 84 PID 2248 wrote to memory of 4824 2248 563dd94590408df258e1b8364870432b47eb85eac99ee57d252114a726c863f3.exe 84 PID 4824 wrote to memory of 2452 4824 Runtime Broker.exe 85 PID 4824 wrote to memory of 2452 4824 Runtime Broker.exe 85 PID 4824 wrote to memory of 2452 4824 Runtime Broker.exe 85 PID 4824 wrote to memory of 1600 4824 Runtime Broker.exe 87 PID 4824 wrote to memory of 1600 4824 Runtime Broker.exe 87 PID 4824 wrote to memory of 1600 4824 Runtime Broker.exe 87 PID 2452 wrote to memory of 1744 2452 cmd.exe 89 PID 2452 wrote to memory of 1744 2452 cmd.exe 89 PID 2452 wrote to memory of 1744 2452 cmd.exe 89 PID 1600 wrote to memory of 3324 1600 cmd.exe 90 PID 1600 wrote to memory of 3324 1600 cmd.exe 90 PID 1600 wrote to memory of 3324 1600 cmd.exe 90 PID 1600 wrote to memory of 4216 1600 cmd.exe 97 PID 1600 wrote to memory of 4216 1600 cmd.exe 97 PID 1600 wrote to memory of 4216 1600 cmd.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\563dd94590408df258e1b8364870432b47eb85eac99ee57d252114a726c863f3.exe"C:\Users\Admin\AppData\Local\Temp\563dd94590408df258e1b8364870432b47eb85eac99ee57d252114a726c863f3.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\MiniMailViewer.exe"C:\Users\Admin\AppData\Local\Temp\MiniMailViewer.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4612
-
-
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Runtime Broker" /tr '"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"' & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Runtime Broker" /tr '"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"'4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1744
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8A6.tmp.bat""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3324
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4216
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
522B
MD5acc9090417037dfa2a55b46ed86e32b8
SHA153fa6fb25fb3e88c24d2027aca6ae492b2800a4d
SHA2562412679218bb0a7d05ceee32869bbb223619bde9966c4c460a68304a3367724b
SHA512d51f7085ec147c708f446b9fb6923cd2fb64596d354ed929e125b30ace57c8cb3217589447a36960e5d3aea87a4e48aaa82c7509eced6d6c2cecd71fcfe3697b
-
Filesize
2.8MB
MD59d6468123f22e9622c66eb66e2919ce4
SHA18ff50b94f5327c4e246e1d422f18caadc510797a
SHA256d5a306dafe4778e26be59b37a4146225b6ff91b27ebab60030c44db32d3f4c4d
SHA51272a220665748b7eae980e5ee813fd033e94e4a384a6f3ad5306a87a341bc91c2954578ddc8e1891299827ec022b518c1ae29c85cf220b7b50421d9fe4a16ede9
-
Filesize
145KB
MD56b085dea8173ba1ed3f10d003a0866b9
SHA12d3ae97f63afb748e1557e90c38e0954a0086431
SHA256ad2d510414d17508c57bb797de20ec9164cde2a3710b653edf7eb6bd8bf1a1f0
SHA51283e6c84db37c2de26c6ce0839c8c03a83f831029556c53448d0e8ca006f3258b1de763148abe0f04c5d7b05fb8814f5cfd9d26c036b364c5858f6f2637e90cd5
-
Filesize
157B
MD558b64296c8e168196037d2441e9f41d1
SHA1fe3385297284291ef444f5b7adb0ad52ad3f756d
SHA256da1b5bd08baf5fd2bfbc86c2d5cc4caa2f1928f240abd42d2e9e56db1db89b10
SHA51234036b2c4d9a3435b8a07d128b181009a169b97bd4e2e319753575b64bb69747b975035fd9e5f070c8c3818e34c5eb62468bd4822a3bbda0729a9c2cf7a6247b