Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 19:38
Static task
static1
Behavioral task
behavioral1
Sample
SAFETYMATERIAL-COVERALL-MASKPPENh3nfndGkgptXUf.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SAFETYMATERIAL-COVERALL-MASKPPENh3nfndGkgptXUf.exe
Resource
win10v20201028
General
-
Target
SAFETYMATERIAL-COVERALL-MASKPPENh3nfndGkgptXUf.exe
-
Size
401KB
-
MD5
8b0fb5064ee0361249dc6ff3aa94c584
-
SHA1
869a8a7ddbdef0840bbc44f5c6cc0cc043059731
-
SHA256
ac016f9b1592fb93fe1117f2a2e20b383944828d649f1ba33ecf831a78537b78
-
SHA512
f6070df027d4977216833afcdb429e70e699deb2f230fb3b797b1e486e893cd5915a2d88a4e1d06bb87342d9e246fc2b17a7a6d373267bd08868f0f2e7cc7d63
Malware Config
Extracted
asyncrat
0.5.6D
185.165.153.215:6606
uqeolevmck
-
aes_key
5eoiILw5GAY7OkbkZoi8uQvz2qpV60Nt
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
sunday
-
host
185.165.153.215
-
hwid
1
- install_file
-
install_folder
%AppData%
-
mutex
uqeolevmck
-
pastebin_config
null
-
port
6606
-
version
0.5.6D
Signatures
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Processes:
resource yara_rule behavioral2/memory/500-7-0x00000000075C0000-0x00000000075C3000-memory.dmp coreentity -
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/416-12-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral2/memory/416-13-0x000000000040C60E-mapping.dmp asyncrat -
Processes:
resource yara_rule behavioral2/memory/500-8-0x0000000009980000-0x0000000009993000-memory.dmp rezer0 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SAFETYMATERIAL-COVERALL-MASKPPENh3nfndGkgptXUf.exedescription pid process target process PID 500 set thread context of 416 500 SAFETYMATERIAL-COVERALL-MASKPPENh3nfndGkgptXUf.exe SAFETYMATERIAL-COVERALL-MASKPPENh3nfndGkgptXUf.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
SAFETYMATERIAL-COVERALL-MASKPPENh3nfndGkgptXUf.exepid process 500 SAFETYMATERIAL-COVERALL-MASKPPENh3nfndGkgptXUf.exe 500 SAFETYMATERIAL-COVERALL-MASKPPENh3nfndGkgptXUf.exe 500 SAFETYMATERIAL-COVERALL-MASKPPENh3nfndGkgptXUf.exe 500 SAFETYMATERIAL-COVERALL-MASKPPENh3nfndGkgptXUf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SAFETYMATERIAL-COVERALL-MASKPPENh3nfndGkgptXUf.exedescription pid process Token: SeDebugPrivilege 500 SAFETYMATERIAL-COVERALL-MASKPPENh3nfndGkgptXUf.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
SAFETYMATERIAL-COVERALL-MASKPPENh3nfndGkgptXUf.exedescription pid process target process PID 500 wrote to memory of 3716 500 SAFETYMATERIAL-COVERALL-MASKPPENh3nfndGkgptXUf.exe schtasks.exe PID 500 wrote to memory of 3716 500 SAFETYMATERIAL-COVERALL-MASKPPENh3nfndGkgptXUf.exe schtasks.exe PID 500 wrote to memory of 3716 500 SAFETYMATERIAL-COVERALL-MASKPPENh3nfndGkgptXUf.exe schtasks.exe PID 500 wrote to memory of 416 500 SAFETYMATERIAL-COVERALL-MASKPPENh3nfndGkgptXUf.exe SAFETYMATERIAL-COVERALL-MASKPPENh3nfndGkgptXUf.exe PID 500 wrote to memory of 416 500 SAFETYMATERIAL-COVERALL-MASKPPENh3nfndGkgptXUf.exe SAFETYMATERIAL-COVERALL-MASKPPENh3nfndGkgptXUf.exe PID 500 wrote to memory of 416 500 SAFETYMATERIAL-COVERALL-MASKPPENh3nfndGkgptXUf.exe SAFETYMATERIAL-COVERALL-MASKPPENh3nfndGkgptXUf.exe PID 500 wrote to memory of 416 500 SAFETYMATERIAL-COVERALL-MASKPPENh3nfndGkgptXUf.exe SAFETYMATERIAL-COVERALL-MASKPPENh3nfndGkgptXUf.exe PID 500 wrote to memory of 416 500 SAFETYMATERIAL-COVERALL-MASKPPENh3nfndGkgptXUf.exe SAFETYMATERIAL-COVERALL-MASKPPENh3nfndGkgptXUf.exe PID 500 wrote to memory of 416 500 SAFETYMATERIAL-COVERALL-MASKPPENh3nfndGkgptXUf.exe SAFETYMATERIAL-COVERALL-MASKPPENh3nfndGkgptXUf.exe PID 500 wrote to memory of 416 500 SAFETYMATERIAL-COVERALL-MASKPPENh3nfndGkgptXUf.exe SAFETYMATERIAL-COVERALL-MASKPPENh3nfndGkgptXUf.exe PID 500 wrote to memory of 416 500 SAFETYMATERIAL-COVERALL-MASKPPENh3nfndGkgptXUf.exe SAFETYMATERIAL-COVERALL-MASKPPENh3nfndGkgptXUf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SAFETYMATERIAL-COVERALL-MASKPPENh3nfndGkgptXUf.exe"C:\Users\Admin\AppData\Local\Temp\SAFETYMATERIAL-COVERALL-MASKPPENh3nfndGkgptXUf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AkXikCVNwI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6AB6.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\SAFETYMATERIAL-COVERALL-MASKPPENh3nfndGkgptXUf.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6AB6.tmpMD5
e305b90a47d1ba34bcb46307f9bc3084
SHA178cddd89c1ef38752e8fc1f89c35db2e635a3365
SHA256c6e9694868e711edcd8f63ccd2ce0539eb92c6dc684af8bffc764c81abe88f6b
SHA5126f72149a45c15dcddc3ee5e340df91bb0446d4c7a7778b2dca81f5c4feaab7edfca113f076dab2acbe90aad23123bea62b20cda5405241aaf44ed1e130747f4b
-
memory/416-14-0x0000000073560000-0x0000000073C4E000-memory.dmpFilesize
6.9MB
-
memory/416-13-0x000000000040C60E-mapping.dmp
-
memory/416-12-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/500-7-0x00000000075C0000-0x00000000075C3000-memory.dmpFilesize
12KB
-
memory/500-6-0x0000000007460000-0x0000000007461000-memory.dmpFilesize
4KB
-
memory/500-0-0x0000000073560000-0x0000000073C4E000-memory.dmpFilesize
6.9MB
-
memory/500-8-0x0000000009980000-0x0000000009993000-memory.dmpFilesize
76KB
-
memory/500-9-0x0000000009A50000-0x0000000009A51000-memory.dmpFilesize
4KB
-
memory/500-5-0x0000000007490000-0x0000000007491000-memory.dmpFilesize
4KB
-
memory/500-4-0x0000000007770000-0x0000000007771000-memory.dmpFilesize
4KB
-
memory/500-3-0x0000000002700000-0x0000000002716000-memory.dmpFilesize
88KB
-
memory/500-1-0x0000000000200000-0x0000000000201000-memory.dmpFilesize
4KB
-
memory/3716-10-0x0000000000000000-mapping.dmp