Analysis
-
max time kernel
146s -
max time network
144s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
04-01-2021 07:36
Static task
static1
Behavioral task
behavioral1
Sample
ORDER #0421 pdf.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
ORDER #0421 pdf.exe
Resource
win10v20201028
General
-
Target
ORDER #0421 pdf.exe
-
Size
402KB
-
MD5
fcc5dca7aa404d3f6e81a4ba10359cde
-
SHA1
7f0426a62831d90c111dd110abd47d635a38522d
-
SHA256
7f8fae93824dfb08c5a5a4ad6e28612109530da49a33370eacb8deaa5fe9fd6b
-
SHA512
0c04243ce607693713c0f796e09c510829d6f24f1c477aaa53185930a54b64e7fb99744e6ffd123ef4bf6d27b8346280d5addb1f6b02d3fb5f5e2db697ef68ec
Malware Config
Extracted
asyncrat
0.5.7B
chongmei33.publicvm.com:49746
chongmei33.publicvm.com:2703
chongmei33.publicvm.com:49714
chongmei33.publicvm.com:49703
185.165.153.116:49746
185.165.153.116:2703
185.165.153.116:49714
185.165.153.116:49703
54.37.36.116:49746
54.37.36.116:2703
54.37.36.116:49714
54.37.36.116:49703
185.244.30.92:49746
185.244.30.92:2703
185.244.30.92:49714
185.244.30.92:49703
dongreg202020.duckdns.org:49746
dongreg202020.duckdns.org:2703
dongreg202020.duckdns.org:49714
dongreg202020.duckdns.org:49703
178.33.222.241:49746
178.33.222.241:2703
178.33.222.241:49714
178.33.222.241:49703
rahim321.duckdns.org:49746
rahim321.duckdns.org:2703
rahim321.duckdns.org:49714
rahim321.duckdns.org:49703
79.134.225.92:49746
79.134.225.92:2703
79.134.225.92:49714
79.134.225.92:49703
37.120.208.36:49746
37.120.208.36:2703
37.120.208.36:49714
37.120.208.36:49703
word_6SI86kPnk
-
aes_key
Hz9AIk2iuw31bDO3o1GepDyHZ5vVJkGp
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
SEPT G8
-
host
chongmei33.publicvm.com,185.165.153.116,54.37.36.116,185.244.30.92,dongreg202020.duckdns.org,178.33.222.241,rahim321.duckdns.org,79.134.225.92,37.120.208.36
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
word_6SI86kPnk
-
pastebin_config
null
-
port
49746,2703,49714,49703
-
version
0.5.7B
Signatures
-
Async RAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1540-21-0x000000000040C89E-mapping.dmp asyncrat behavioral1/memory/1540-23-0x0000000000080000-0x0000000000092000-memory.dmp asyncrat behavioral1/memory/1540-24-0x0000000000080000-0x0000000000092000-memory.dmp asyncrat -
Executes dropped EXE 2 IoCs
Processes:
word.exeword.exepid process 316 word.exe 1540 word.exe -
Loads dropped DLL 1 IoCs
Processes:
ORDER #0421 pdf.exepid process 1916 ORDER #0421 pdf.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\word = "C:\\Users\\Admin\\word.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
word.exedescription pid process target process PID 316 set thread context of 1540 316 word.exe word.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
ORDER #0421 pdf.exeword.exepid process 1916 ORDER #0421 pdf.exe 1916 ORDER #0421 pdf.exe 1916 ORDER #0421 pdf.exe 1916 ORDER #0421 pdf.exe 1916 ORDER #0421 pdf.exe 316 word.exe 316 word.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
ORDER #0421 pdf.exeword.exeword.exedescription pid process Token: SeDebugPrivilege 1916 ORDER #0421 pdf.exe Token: SeDebugPrivilege 316 word.exe Token: SeDebugPrivilege 1540 word.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
ORDER #0421 pdf.execmd.exeword.exedescription pid process target process PID 1916 wrote to memory of 1672 1916 ORDER #0421 pdf.exe cmd.exe PID 1916 wrote to memory of 1672 1916 ORDER #0421 pdf.exe cmd.exe PID 1916 wrote to memory of 1672 1916 ORDER #0421 pdf.exe cmd.exe PID 1916 wrote to memory of 1672 1916 ORDER #0421 pdf.exe cmd.exe PID 1672 wrote to memory of 1768 1672 cmd.exe reg.exe PID 1672 wrote to memory of 1768 1672 cmd.exe reg.exe PID 1672 wrote to memory of 1768 1672 cmd.exe reg.exe PID 1672 wrote to memory of 1768 1672 cmd.exe reg.exe PID 1916 wrote to memory of 316 1916 ORDER #0421 pdf.exe word.exe PID 1916 wrote to memory of 316 1916 ORDER #0421 pdf.exe word.exe PID 1916 wrote to memory of 316 1916 ORDER #0421 pdf.exe word.exe PID 1916 wrote to memory of 316 1916 ORDER #0421 pdf.exe word.exe PID 316 wrote to memory of 1540 316 word.exe word.exe PID 316 wrote to memory of 1540 316 word.exe word.exe PID 316 wrote to memory of 1540 316 word.exe word.exe PID 316 wrote to memory of 1540 316 word.exe word.exe PID 316 wrote to memory of 1540 316 word.exe word.exe PID 316 wrote to memory of 1540 316 word.exe word.exe PID 316 wrote to memory of 1540 316 word.exe word.exe PID 316 wrote to memory of 1540 316 word.exe word.exe PID 316 wrote to memory of 1540 316 word.exe word.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ORDER #0421 pdf.exe"C:\Users\Admin\AppData\Local\Temp\ORDER #0421 pdf.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "word" /t REG_SZ /d "C:\Users\Admin\word.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "word" /t REG_SZ /d "C:\Users\Admin\word.exe"3⤵
- Adds Run key to start application
-
C:\Users\Admin\word.exe"C:\Users\Admin\word.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\word.exe"C:\Users\Admin\word.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\word.exeMD5
fcc5dca7aa404d3f6e81a4ba10359cde
SHA17f0426a62831d90c111dd110abd47d635a38522d
SHA2567f8fae93824dfb08c5a5a4ad6e28612109530da49a33370eacb8deaa5fe9fd6b
SHA5120c04243ce607693713c0f796e09c510829d6f24f1c477aaa53185930a54b64e7fb99744e6ffd123ef4bf6d27b8346280d5addb1f6b02d3fb5f5e2db697ef68ec
-
C:\Users\Admin\word.exeMD5
fcc5dca7aa404d3f6e81a4ba10359cde
SHA17f0426a62831d90c111dd110abd47d635a38522d
SHA2567f8fae93824dfb08c5a5a4ad6e28612109530da49a33370eacb8deaa5fe9fd6b
SHA5120c04243ce607693713c0f796e09c510829d6f24f1c477aaa53185930a54b64e7fb99744e6ffd123ef4bf6d27b8346280d5addb1f6b02d3fb5f5e2db697ef68ec
-
C:\Users\Admin\word.exeMD5
fcc5dca7aa404d3f6e81a4ba10359cde
SHA17f0426a62831d90c111dd110abd47d635a38522d
SHA2567f8fae93824dfb08c5a5a4ad6e28612109530da49a33370eacb8deaa5fe9fd6b
SHA5120c04243ce607693713c0f796e09c510829d6f24f1c477aaa53185930a54b64e7fb99744e6ffd123ef4bf6d27b8346280d5addb1f6b02d3fb5f5e2db697ef68ec
-
\Users\Admin\word.exeMD5
fcc5dca7aa404d3f6e81a4ba10359cde
SHA17f0426a62831d90c111dd110abd47d635a38522d
SHA2567f8fae93824dfb08c5a5a4ad6e28612109530da49a33370eacb8deaa5fe9fd6b
SHA5120c04243ce607693713c0f796e09c510829d6f24f1c477aaa53185930a54b64e7fb99744e6ffd123ef4bf6d27b8346280d5addb1f6b02d3fb5f5e2db697ef68ec
-
memory/316-19-0x00000000004F0000-0x00000000004F1000-memory.dmpFilesize
4KB
-
memory/316-18-0x00000000004D0000-0x00000000004DB000-memory.dmpFilesize
44KB
-
memory/316-14-0x0000000000A80000-0x0000000000A81000-memory.dmpFilesize
4KB
-
memory/316-13-0x00000000745B0000-0x0000000074C9E000-memory.dmpFilesize
6.9MB
-
memory/316-10-0x0000000000000000-mapping.dmp
-
memory/1540-23-0x0000000000080000-0x0000000000092000-memory.dmpFilesize
72KB
-
memory/1540-21-0x000000000040C89E-mapping.dmp
-
memory/1540-24-0x0000000000080000-0x0000000000092000-memory.dmpFilesize
72KB
-
memory/1540-25-0x00000000745B0000-0x0000000074C9E000-memory.dmpFilesize
6.9MB
-
memory/1540-26-0x0000000000080000-0x0000000000082000-memory.dmpFilesize
8KB
-
memory/1672-7-0x0000000000000000-mapping.dmp
-
memory/1768-8-0x0000000000000000-mapping.dmp
-
memory/1916-6-0x0000000000520000-0x0000000000521000-memory.dmpFilesize
4KB
-
memory/1916-5-0x0000000000570000-0x000000000058E000-memory.dmpFilesize
120KB
-
memory/1916-2-0x00000000745B0000-0x0000000074C9E000-memory.dmpFilesize
6.9MB
-
memory/1916-3-0x0000000000D90000-0x0000000000D91000-memory.dmpFilesize
4KB