Analysis
-
max time kernel
15s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
22-12-2020 07:03
Static task
static1
Behavioral task
behavioral1
Sample
SKM_C258201001130020005057.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SKM_C258201001130020005057.exe
Resource
win10v20201028
General
-
Target
SKM_C258201001130020005057.exe
-
Size
1.0MB
-
MD5
101293648c64868f186872244df8b871
-
SHA1
fbca0f4a9f0dfb1f7d1e93e9a650ac4e5f815901
-
SHA256
8d29f4ed1dfb22f2b11e74a065ca6f8993cead1cbd965f576a935cf80fb1afc7
-
SHA512
d67b4892f9269b8dec97d1063500a83d251e78ea2d8f20afa576da397d1013e5c1380c99284cf35d02b29faeebfe8ed7f1d9365312b9f909bc5530826fa79a26
Malware Config
Extracted
asyncrat
0.5.7B
severdops.ddns.net:6204
AsyncMutex_6SI8OkPnk
-
aes_key
YNkqaLZuCTWrp43KtUJweEXfeczrvdLZ
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
severdops.ddns.net
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
6204
-
version
0.5.7B
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
SKM_C258201001130020005057.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\SKM_C258201001130020005057.exe\"" SKM_C258201001130020005057.exe -
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/500-8-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral2/memory/500-9-0x000000000040C71E-mapping.dmp asyncrat -
Drops startup file 2 IoCs
Processes:
SKM_C258201001130020005057.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SKM_C258201001130020005057.exe SKM_C258201001130020005057.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SKM_C258201001130020005057.exe SKM_C258201001130020005057.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
SKM_C258201001130020005057.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SKM_C258201001130020005057.exe" SKM_C258201001130020005057.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\SKM_C258201001130020005057.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SKM_C258201001130020005057.exe" SKM_C258201001130020005057.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
SKM_C258201001130020005057.exepid process 644 SKM_C258201001130020005057.exe 644 SKM_C258201001130020005057.exe 644 SKM_C258201001130020005057.exe 644 SKM_C258201001130020005057.exe 644 SKM_C258201001130020005057.exe 644 SKM_C258201001130020005057.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SKM_C258201001130020005057.exedescription pid process target process PID 644 set thread context of 500 644 SKM_C258201001130020005057.exe SKM_C258201001130020005057.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2300 644 WerFault.exe SKM_C258201001130020005057.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
SKM_C258201001130020005057.exeWerFault.exepid process 644 SKM_C258201001130020005057.exe 644 SKM_C258201001130020005057.exe 644 SKM_C258201001130020005057.exe 644 SKM_C258201001130020005057.exe 644 SKM_C258201001130020005057.exe 2300 WerFault.exe 2300 WerFault.exe 2300 WerFault.exe 2300 WerFault.exe 2300 WerFault.exe 2300 WerFault.exe 2300 WerFault.exe 2300 WerFault.exe 2300 WerFault.exe 2300 WerFault.exe 2300 WerFault.exe 2300 WerFault.exe 2300 WerFault.exe 2300 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
SKM_C258201001130020005057.exeWerFault.exeSKM_C258201001130020005057.exedescription pid process Token: SeDebugPrivilege 644 SKM_C258201001130020005057.exe Token: SeRestorePrivilege 2300 WerFault.exe Token: SeBackupPrivilege 2300 WerFault.exe Token: SeDebugPrivilege 2300 WerFault.exe Token: SeDebugPrivilege 500 SKM_C258201001130020005057.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
SKM_C258201001130020005057.exedescription pid process target process PID 644 wrote to memory of 2620 644 SKM_C258201001130020005057.exe SKM_C258201001130020005057.exe PID 644 wrote to memory of 2620 644 SKM_C258201001130020005057.exe SKM_C258201001130020005057.exe PID 644 wrote to memory of 2620 644 SKM_C258201001130020005057.exe SKM_C258201001130020005057.exe PID 644 wrote to memory of 500 644 SKM_C258201001130020005057.exe SKM_C258201001130020005057.exe PID 644 wrote to memory of 500 644 SKM_C258201001130020005057.exe SKM_C258201001130020005057.exe PID 644 wrote to memory of 500 644 SKM_C258201001130020005057.exe SKM_C258201001130020005057.exe PID 644 wrote to memory of 500 644 SKM_C258201001130020005057.exe SKM_C258201001130020005057.exe PID 644 wrote to memory of 500 644 SKM_C258201001130020005057.exe SKM_C258201001130020005057.exe PID 644 wrote to memory of 500 644 SKM_C258201001130020005057.exe SKM_C258201001130020005057.exe PID 644 wrote to memory of 500 644 SKM_C258201001130020005057.exe SKM_C258201001130020005057.exe PID 644 wrote to memory of 500 644 SKM_C258201001130020005057.exe SKM_C258201001130020005057.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SKM_C258201001130020005057.exe"C:\Users\Admin\AppData\Local\Temp\SKM_C258201001130020005057.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SKM_C258201001130020005057.exe"C:\Users\Admin\AppData\Local\Temp\SKM_C258201001130020005057.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SKM_C258201001130020005057.exe"C:\Users\Admin\AppData\Local\Temp\SKM_C258201001130020005057.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 11242⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/500-8-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/500-9-0x000000000040C71E-mapping.dmp
-
memory/500-10-0x0000000073EE0000-0x00000000745CE000-memory.dmpFilesize
6.9MB
-
memory/500-18-0x0000000005C70000-0x0000000005C71000-memory.dmpFilesize
4KB
-
memory/644-2-0x0000000073EE0000-0x00000000745CE000-memory.dmpFilesize
6.9MB
-
memory/644-3-0x0000000000CD0000-0x0000000000CD1000-memory.dmpFilesize
4KB
-
memory/644-5-0x00000000055B0000-0x00000000055B1000-memory.dmpFilesize
4KB
-
memory/644-6-0x0000000005550000-0x0000000005577000-memory.dmpFilesize
156KB
-
memory/644-7-0x0000000005D90000-0x0000000005D91000-memory.dmpFilesize
4KB
-
memory/2300-13-0x0000000004C00000-0x0000000004C01000-memory.dmpFilesize
4KB