Analysis
-
max time kernel
5s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29/03/2025, 19:21
Behavioral task
behavioral1
Sample
6cdd270a2bad95c8a063a9fe876f6c454f2b5219164c476e2bf94350ab050618.exe
Resource
win7-20240903-en
General
-
Target
6cdd270a2bad95c8a063a9fe876f6c454f2b5219164c476e2bf94350ab050618.exe
-
Size
73KB
-
MD5
75e679528300f0eec2aab97faf87a0b1
-
SHA1
5f5e310edf9b08693a31003a91071b5b4b7bfd39
-
SHA256
6cdd270a2bad95c8a063a9fe876f6c454f2b5219164c476e2bf94350ab050618
-
SHA512
7b051d593aa6c20ec50018c56f834388345f025c2e5257cd0c887aeb15f6e6302e57c91b3009ae65a5456aef3c338a5603bda45240eaa325e7636475fe01d935
-
SSDEEP
768:btF3S1PK+iPDVwir9JSIEZvkYIuu7tkA1+BSrv7mqb2nyHpwH1oQWM4Vp8GX90P7:BkKhJ2ZsYCnn/bb5weMrGX90+t3VclN
Malware Config
Extracted
asyncrat
1.0.7
Default
DcRatMutex_qwqdanchun
-
delay
3
-
install
true
-
install_file
MicrosoftEdgeUpdate.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/ZnhxAV6a
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x0009000000016d4f-16.dat family_asyncrat -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 4 pastebin.com 5 pastebin.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 1620 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2476 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1908 6cdd270a2bad95c8a063a9fe876f6c454f2b5219164c476e2bf94350ab050618.exe 1908 6cdd270a2bad95c8a063a9fe876f6c454f2b5219164c476e2bf94350ab050618.exe 1908 6cdd270a2bad95c8a063a9fe876f6c454f2b5219164c476e2bf94350ab050618.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1908 6cdd270a2bad95c8a063a9fe876f6c454f2b5219164c476e2bf94350ab050618.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1908 wrote to memory of 2328 1908 6cdd270a2bad95c8a063a9fe876f6c454f2b5219164c476e2bf94350ab050618.exe 30 PID 1908 wrote to memory of 2328 1908 6cdd270a2bad95c8a063a9fe876f6c454f2b5219164c476e2bf94350ab050618.exe 30 PID 1908 wrote to memory of 2328 1908 6cdd270a2bad95c8a063a9fe876f6c454f2b5219164c476e2bf94350ab050618.exe 30 PID 1908 wrote to memory of 2300 1908 6cdd270a2bad95c8a063a9fe876f6c454f2b5219164c476e2bf94350ab050618.exe 32 PID 1908 wrote to memory of 2300 1908 6cdd270a2bad95c8a063a9fe876f6c454f2b5219164c476e2bf94350ab050618.exe 32 PID 1908 wrote to memory of 2300 1908 6cdd270a2bad95c8a063a9fe876f6c454f2b5219164c476e2bf94350ab050618.exe 32 PID 2328 wrote to memory of 2476 2328 cmd.exe 34 PID 2328 wrote to memory of 2476 2328 cmd.exe 34 PID 2328 wrote to memory of 2476 2328 cmd.exe 34 PID 2300 wrote to memory of 1620 2300 cmd.exe 35 PID 2300 wrote to memory of 1620 2300 cmd.exe 35 PID 2300 wrote to memory of 1620 2300 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\6cdd270a2bad95c8a063a9fe876f6c454f2b5219164c476e2bf94350ab050618.exe"C:\Users\Admin\AppData\Local\Temp\6cdd270a2bad95c8a063a9fe876f6c454f2b5219164c476e2bf94350ab050618.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "MicrosoftEdgeUpdate" /tr '"C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdate.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "MicrosoftEdgeUpdate" /tr '"C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdate.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:2476
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC63C.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:1620
-
-
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdate.exe"C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdate.exe"3⤵PID:2856
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
163B
MD5404ddeb551acc17ab3f8f4110282bcee
SHA15005e43e03b7595427c55c5eab2904ad7021ef41
SHA256f7f440138391955281723d4c6f7538364c9e671ea19041e67c7990b39a412ead
SHA5123dab029c0e1a4a99bf99be9aa8a3246886a4929484974566b7ba8f2d03a1170b66420ed72247d3047170f361027495130afecef5e4446387df9ee9b1706c0aa4
-
Filesize
73KB
MD575e679528300f0eec2aab97faf87a0b1
SHA15f5e310edf9b08693a31003a91071b5b4b7bfd39
SHA2566cdd270a2bad95c8a063a9fe876f6c454f2b5219164c476e2bf94350ab050618
SHA5127b051d593aa6c20ec50018c56f834388345f025c2e5257cd0c887aeb15f6e6302e57c91b3009ae65a5456aef3c338a5603bda45240eaa325e7636475fe01d935