Analysis
-
max time kernel
141s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/03/2025, 08:17
Static task
static1
Behavioral task
behavioral1
Sample
014dba300f314de1c296005e39b4263d50ff032b7eebea2353b2285c90f891ed.exe
Resource
win7-20240903-en
General
-
Target
014dba300f314de1c296005e39b4263d50ff032b7eebea2353b2285c90f891ed.exe
-
Size
798KB
-
MD5
0997e0d8d2828ad4da27e830fd6562d3
-
SHA1
ddcb9cb2462b6f7b2a688a7696e49164a1d40d44
-
SHA256
014dba300f314de1c296005e39b4263d50ff032b7eebea2353b2285c90f891ed
-
SHA512
4e356cef6d1d50d1d7ab249177703d06f6a34c0b37405e00c47d850aeac782a6fd0562daed815df05659ff16b81698cd6a11a034dc3b599f019d778cf67191ef
-
SSDEEP
12288:AyveQB/fTHIGaPkKEYzURNAwbAgWtJZLGxDUeYnqaGsSGo0/O6nG:AuDXTIGaPhEYzUzA0ASxA/qnsO6nG
Malware Config
Extracted
asyncrat
0.5.8
Default
opakk.hopto.org:34397
AkzHMC1tjq5U
-
delay
3
-
install
true
-
install_file
WUDFHost.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x000900000001878c-7.dat family_asyncrat -
Executes dropped EXE 2 IoCs
pid Process 2356 Test1.exe 1724 WUDFHost.exe -
Loads dropped DLL 1 IoCs
pid Process 2616 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WUDFHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Test1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2632 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2576 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2356 Test1.exe 2356 Test1.exe 2356 Test1.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2356 Test1.exe Token: SeDebugPrivilege 1724 WUDFHost.exe Token: SeDebugPrivilege 1724 WUDFHost.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1924 wrote to memory of 2356 1924 014dba300f314de1c296005e39b4263d50ff032b7eebea2353b2285c90f891ed.exe 31 PID 1924 wrote to memory of 2356 1924 014dba300f314de1c296005e39b4263d50ff032b7eebea2353b2285c90f891ed.exe 31 PID 1924 wrote to memory of 2356 1924 014dba300f314de1c296005e39b4263d50ff032b7eebea2353b2285c90f891ed.exe 31 PID 1924 wrote to memory of 2356 1924 014dba300f314de1c296005e39b4263d50ff032b7eebea2353b2285c90f891ed.exe 31 PID 2356 wrote to memory of 2864 2356 Test1.exe 34 PID 2356 wrote to memory of 2864 2356 Test1.exe 34 PID 2356 wrote to memory of 2864 2356 Test1.exe 34 PID 2356 wrote to memory of 2864 2356 Test1.exe 34 PID 2356 wrote to memory of 2616 2356 Test1.exe 36 PID 2356 wrote to memory of 2616 2356 Test1.exe 36 PID 2356 wrote to memory of 2616 2356 Test1.exe 36 PID 2356 wrote to memory of 2616 2356 Test1.exe 36 PID 2864 wrote to memory of 2576 2864 cmd.exe 38 PID 2864 wrote to memory of 2576 2864 cmd.exe 38 PID 2864 wrote to memory of 2576 2864 cmd.exe 38 PID 2864 wrote to memory of 2576 2864 cmd.exe 38 PID 2616 wrote to memory of 2632 2616 cmd.exe 39 PID 2616 wrote to memory of 2632 2616 cmd.exe 39 PID 2616 wrote to memory of 2632 2616 cmd.exe 39 PID 2616 wrote to memory of 2632 2616 cmd.exe 39 PID 2616 wrote to memory of 1724 2616 cmd.exe 40 PID 2616 wrote to memory of 1724 2616 cmd.exe 40 PID 2616 wrote to memory of 1724 2616 cmd.exe 40 PID 2616 wrote to memory of 1724 2616 cmd.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\014dba300f314de1c296005e39b4263d50ff032b7eebea2353b2285c90f891ed.exe"C:\Users\Admin\AppData\Local\Temp\014dba300f314de1c296005e39b4263d50ff032b7eebea2353b2285c90f891ed.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Test1.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Test1.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WUDFHost" /tr '"C:\Users\Admin\AppData\Roaming\WUDFHost.exe"' & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "WUDFHost" /tr '"C:\Users\Admin\AppData\Roaming\WUDFHost.exe"'4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2576
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpCAAF.tmp.bat""3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2632
-
-
C:\Users\Admin\AppData\Roaming\WUDFHost.exe"C:\Users\Admin\AppData\Roaming\WUDFHost.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74KB
MD58426efde5119f38f7436dc6170635bae
SHA11f68a03059e2b27b1b4529f906fe7336a743b2ac
SHA2568d30a30ff9b086ccb05f68a4297f73cdc252d2e847dfd3eee35e770c25d99689
SHA5128c1a0338f9b53657866eb5b8f2b1e9a736877ee599a38ad6c956eec2062a4b62501b03893b93d9995c062f8c90fb7901ebdf4b3a4ef2a3944629cd47f9df7e57
-
Filesize
152B
MD51627574b604ee67cbc568623d05e69d2
SHA16a834021baaa333ec51f12967ec44970c9932197
SHA256952daf1f4afe8b4fbd2618e960a7a5179b3d8c5fd99c6ffcacae0cb4bda3cec7
SHA5129c8f784c86f39163874b7739fa0551fce6ebfc15702a4c79443089e29dee9a157e5e7229c27fe4c32b17d38d473bd5f51442f8cee6f8e010df4c96ae3516393c