Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7 -
submitted
09-07-2020 18:41
Static task
static1
Behavioral task
behavioral1
Sample
f635d6dbb86f7d946250514c9ccb7db0.exe
Resource
win7
Behavioral task
behavioral2
Sample
f635d6dbb86f7d946250514c9ccb7db0.exe
Resource
win10
General
-
Target
f635d6dbb86f7d946250514c9ccb7db0.exe
-
Size
256KB
-
MD5
f635d6dbb86f7d946250514c9ccb7db0
-
SHA1
f11402b0dba9a9c81399c2f557b11deac2620c55
-
SHA256
25babc8d9be2e6cc3cdd408fac70bea0d9c3f0c3480945d3bcb374c88b6f82c1
-
SHA512
e02ba39e68acd88724acda61ac1feb501a0d070022c22863e7dd2fa2dc160a15d56e302a5ad1ad200d70091098d764c542cdf88d88d917d5f988ae36d80d9d9c
Malware Config
Extracted
asyncrat
0.5.7B
null:null
AsyncMutex_6SI8OkPnk
-
aes_key
EfA8oEwdphb1PRVOxTe3AN4wESj6UjIj
-
anti_detection
false
-
autorun
true
-
bdos
false
-
delay
CORONA
-
host
null
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
https://pastebin.com/raw/KVXdCZYr
-
port
null
-
version
0.5.7B
Signatures
-
Contains code to disable Windows Defender 4 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral1/memory/1772-35-0x0000000000400000-0x0000000000454000-memory.dmp disable_win_def behavioral1/memory/1772-36-0x000000000044FF42-mapping.dmp disable_win_def behavioral1/memory/1772-38-0x0000000000400000-0x0000000000454000-memory.dmp disable_win_def behavioral1/memory/1772-39-0x0000000000400000-0x0000000000454000-memory.dmp disable_win_def -
Modifies security service 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" kgdxez.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WinDefend\Start = "4" kgdxez.exe -
Async RAT payload 7 IoCs
resource yara_rule behavioral1/memory/876-2-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/876-3-0x000000000040C78E-mapping.dmp asyncrat behavioral1/memory/876-4-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/876-5-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1976-19-0x000000000040C78E-mapping.dmp asyncrat behavioral1/memory/1976-21-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1976-22-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Executes dropped EXE 5 IoCs
pid Process 1768 chromegoogle.exe 1976 chromegoogle.exe 1056 kgdxez.exe 1772 kgdxez.exe 1504 DHender.exe -
Loads dropped DLL 4 IoCs
pid Process 1532 cmd.exe 1556 powershell.exe 1056 kgdxez.exe 1772 kgdxez.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\DisableAntiSpyware = "1" kgdxez.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features kgdxez.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" kgdxez.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "1" kgdxez.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OfficeTelemetry = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\kgdxez.exe\"" kgdxez.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeTelemetry = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\kgdxez.exe\"" kgdxez.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA kgdxez.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" kgdxez.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 15 ip-api.com -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 608 set thread context of 876 608 f635d6dbb86f7d946250514c9ccb7db0.exe 24 PID 1768 set thread context of 1976 1768 chromegoogle.exe 34 PID 1056 set thread context of 1772 1056 kgdxez.exe 40 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1760 schtasks.exe 1128 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1788 timeout.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 876 f635d6dbb86f7d946250514c9ccb7db0.exe 876 f635d6dbb86f7d946250514c9ccb7db0.exe 1556 powershell.exe 1976 chromegoogle.exe 1556 powershell.exe 1992 powershell.exe 1992 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 876 f635d6dbb86f7d946250514c9ccb7db0.exe Token: SeDebugPrivilege 1976 chromegoogle.exe Token: SeDebugPrivilege 1556 powershell.exe Token: SeDebugPrivilege 1772 kgdxez.exe Token: SeDebugPrivilege 1992 powershell.exe -
Suspicious use of WriteProcessMemory 75 IoCs
description pid Process procid_target PID 608 wrote to memory of 876 608 f635d6dbb86f7d946250514c9ccb7db0.exe 24 PID 608 wrote to memory of 876 608 f635d6dbb86f7d946250514c9ccb7db0.exe 24 PID 608 wrote to memory of 876 608 f635d6dbb86f7d946250514c9ccb7db0.exe 24 PID 608 wrote to memory of 876 608 f635d6dbb86f7d946250514c9ccb7db0.exe 24 PID 608 wrote to memory of 876 608 f635d6dbb86f7d946250514c9ccb7db0.exe 24 PID 608 wrote to memory of 876 608 f635d6dbb86f7d946250514c9ccb7db0.exe 24 PID 608 wrote to memory of 876 608 f635d6dbb86f7d946250514c9ccb7db0.exe 24 PID 608 wrote to memory of 876 608 f635d6dbb86f7d946250514c9ccb7db0.exe 24 PID 608 wrote to memory of 876 608 f635d6dbb86f7d946250514c9ccb7db0.exe 24 PID 876 wrote to memory of 1040 876 f635d6dbb86f7d946250514c9ccb7db0.exe 25 PID 876 wrote to memory of 1040 876 f635d6dbb86f7d946250514c9ccb7db0.exe 25 PID 876 wrote to memory of 1040 876 f635d6dbb86f7d946250514c9ccb7db0.exe 25 PID 876 wrote to memory of 1040 876 f635d6dbb86f7d946250514c9ccb7db0.exe 25 PID 876 wrote to memory of 1532 876 f635d6dbb86f7d946250514c9ccb7db0.exe 27 PID 876 wrote to memory of 1532 876 f635d6dbb86f7d946250514c9ccb7db0.exe 27 PID 876 wrote to memory of 1532 876 f635d6dbb86f7d946250514c9ccb7db0.exe 27 PID 876 wrote to memory of 1532 876 f635d6dbb86f7d946250514c9ccb7db0.exe 27 PID 1040 wrote to memory of 1760 1040 cmd.exe 29 PID 1040 wrote to memory of 1760 1040 cmd.exe 29 PID 1040 wrote to memory of 1760 1040 cmd.exe 29 PID 1040 wrote to memory of 1760 1040 cmd.exe 29 PID 1532 wrote to memory of 1788 1532 cmd.exe 30 PID 1532 wrote to memory of 1788 1532 cmd.exe 30 PID 1532 wrote to memory of 1788 1532 cmd.exe 30 PID 1532 wrote to memory of 1788 1532 cmd.exe 30 PID 1532 wrote to memory of 1768 1532 cmd.exe 31 PID 1532 wrote to memory of 1768 1532 cmd.exe 31 PID 1532 wrote to memory of 1768 1532 cmd.exe 31 PID 1532 wrote to memory of 1768 1532 cmd.exe 31 PID 1768 wrote to memory of 1976 1768 chromegoogle.exe 34 PID 1768 wrote to memory of 1976 1768 chromegoogle.exe 34 PID 1768 wrote to memory of 1976 1768 chromegoogle.exe 34 PID 1768 wrote to memory of 1976 1768 chromegoogle.exe 34 PID 1768 wrote to memory of 1976 1768 chromegoogle.exe 34 PID 1768 wrote to memory of 1976 1768 chromegoogle.exe 34 PID 1768 wrote to memory of 1976 1768 chromegoogle.exe 34 PID 1768 wrote to memory of 1976 1768 chromegoogle.exe 34 PID 1768 wrote to memory of 1976 1768 chromegoogle.exe 34 PID 1976 wrote to memory of 1812 1976 chromegoogle.exe 36 PID 1976 wrote to memory of 1812 1976 chromegoogle.exe 36 PID 1976 wrote to memory of 1812 1976 chromegoogle.exe 36 PID 1976 wrote to memory of 1812 1976 chromegoogle.exe 36 PID 1812 wrote to memory of 1556 1812 cmd.exe 38 PID 1812 wrote to memory of 1556 1812 cmd.exe 38 PID 1812 wrote to memory of 1556 1812 cmd.exe 38 PID 1812 wrote to memory of 1556 1812 cmd.exe 38 PID 1556 wrote to memory of 1056 1556 powershell.exe 39 PID 1556 wrote to memory of 1056 1556 powershell.exe 39 PID 1556 wrote to memory of 1056 1556 powershell.exe 39 PID 1556 wrote to memory of 1056 1556 powershell.exe 39 PID 1056 wrote to memory of 1772 1056 kgdxez.exe 40 PID 1056 wrote to memory of 1772 1056 kgdxez.exe 40 PID 1056 wrote to memory of 1772 1056 kgdxez.exe 40 PID 1056 wrote to memory of 1772 1056 kgdxez.exe 40 PID 1056 wrote to memory of 1772 1056 kgdxez.exe 40 PID 1056 wrote to memory of 1772 1056 kgdxez.exe 40 PID 1056 wrote to memory of 1772 1056 kgdxez.exe 40 PID 1056 wrote to memory of 1772 1056 kgdxez.exe 40 PID 1056 wrote to memory of 1772 1056 kgdxez.exe 40 PID 1772 wrote to memory of 1128 1772 kgdxez.exe 41 PID 1772 wrote to memory of 1128 1772 kgdxez.exe 41 PID 1772 wrote to memory of 1128 1772 kgdxez.exe 41 PID 1772 wrote to memory of 1128 1772 kgdxez.exe 41 PID 1772 wrote to memory of 1880 1772 kgdxez.exe 43 PID 1772 wrote to memory of 1880 1772 kgdxez.exe 43 PID 1772 wrote to memory of 1880 1772 kgdxez.exe 43 PID 1772 wrote to memory of 1880 1772 kgdxez.exe 43 PID 1772 wrote to memory of 1992 1772 kgdxez.exe 45 PID 1772 wrote to memory of 1992 1772 kgdxez.exe 45 PID 1772 wrote to memory of 1992 1772 kgdxez.exe 45 PID 1772 wrote to memory of 1992 1772 kgdxez.exe 45 PID 1772 wrote to memory of 1504 1772 kgdxez.exe 47 PID 1772 wrote to memory of 1504 1772 kgdxez.exe 47 PID 1772 wrote to memory of 1504 1772 kgdxez.exe 47 PID 1772 wrote to memory of 1504 1772 kgdxez.exe 47 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" kgdxez.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f635d6dbb86f7d946250514c9ccb7db0.exe"C:\Users\Admin\AppData\Local\Temp\f635d6dbb86f7d946250514c9ccb7db0.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Users\Admin\AppData\Local\Temp\f635d6dbb86f7d946250514c9ccb7db0.exe"C:\Users\Admin\AppData\Local\Temp\f635d6dbb86f7d946250514c9ccb7db0.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "chromegoogle" /tr '"C:\Users\Admin\AppData\Roaming\chromegoogle.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "chromegoogle" /tr '"C:\Users\Admin\AppData\Roaming\chromegoogle.exe"'4⤵
- Creates scheduled task(s)
PID:1760
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9C6D.tmp.bat""3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:1788
-
-
C:\Users\Admin\AppData\Roaming\chromegoogle.exe"C:\Users\Admin\AppData\Roaming\chromegoogle.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Admin\AppData\Roaming\chromegoogle.exe"C:\Users\Admin\AppData\Roaming\chromegoogle.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\kgdxez.exe"' & exit6⤵
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\kgdxez.exe"'7⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Users\Admin\AppData\Local\Temp\kgdxez.exe"C:\Users\Admin\AppData\Local\Temp\kgdxez.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Users\Admin\AppData\Local\Temp\kgdxez.exe"C:\Users\Admin\AppData\Local\Temp\kgdxez.exe"9⤵
- Modifies security service
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1772 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "\Microsoft\Windows\NetTrace\PerfTrack\Files\OfficeTelemetry" /SC MINUTE /MO 3 /RL HIGHEST /tr "C:\Users\Admin\AppData\Local\Temp\kgdxez.exe" /f10⤵
- Creates scheduled task(s)
PID:1128
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /delete /tn "OfficeTelemetry" /f10⤵PID:1880
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
-
C:\Users\Admin\AppData\Roaming\DateVLog\DHender.exe"C:\Users\Admin\AppData\Roaming\DateVLog\DHender.exe"10⤵
- Executes dropped EXE
PID:1504
-
-
-
-
-
-
-
-
-