Analysis
-
max time kernel
21s -
max time network
144s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
12-01-2021 15:52
Behavioral task
behavioral1
Sample
WindowsForsApp2.jpg.exe
Resource
win7v20201028
General
-
Target
WindowsForsApp2.jpg.exe
-
Size
45KB
-
MD5
d3a6b158e1e9696487764681659b132e
-
SHA1
5e55263eda3d62389ca0f8e08a75a65e1afd7e40
-
SHA256
ce0530832a781bd0ca193f10973c554c051cbebd189339c2ff31b60638914a89
-
SHA512
ecb4e7320979490e219a71812c640af8c2f9ac9303b7c16993961c4f89c23c49f3620cd0940f36cc69371df0386582f6ac7204d07d14cae6e0271956416c234f
Malware Config
Extracted
asyncrat
0.5.7B
103.147.184.53:1991
AsyncMutex_6SI8OkPnk
-
aes_key
jAIQjLUDDlRsSW2EWQFUO3GpJGouneMb
-
anti_detection
false
-
autorun
true
-
bdos
false
-
delay
Default
-
host
103.147.184.53
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
1991
-
version
0.5.7B
Signatures
-
Async RAT payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\tax refund.exe asyncrat C:\Users\Admin\AppData\Roaming\tax refund.exe asyncrat -
Executes dropped EXE 1 IoCs
Processes:
tax refund.exepid process 1172 tax refund.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1504 timeout.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
WindowsForsApp2.jpg.exepid process 64 WindowsForsApp2.jpg.exe 64 WindowsForsApp2.jpg.exe 64 WindowsForsApp2.jpg.exe 64 WindowsForsApp2.jpg.exe 64 WindowsForsApp2.jpg.exe 64 WindowsForsApp2.jpg.exe 64 WindowsForsApp2.jpg.exe 64 WindowsForsApp2.jpg.exe 64 WindowsForsApp2.jpg.exe 64 WindowsForsApp2.jpg.exe 64 WindowsForsApp2.jpg.exe 64 WindowsForsApp2.jpg.exe 64 WindowsForsApp2.jpg.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
WindowsForsApp2.jpg.exetax refund.exedescription pid process Token: SeDebugPrivilege 64 WindowsForsApp2.jpg.exe Token: SeDebugPrivilege 1172 tax refund.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
WindowsForsApp2.jpg.execmd.execmd.exedescription pid process target process PID 64 wrote to memory of 1292 64 WindowsForsApp2.jpg.exe cmd.exe PID 64 wrote to memory of 1292 64 WindowsForsApp2.jpg.exe cmd.exe PID 64 wrote to memory of 1292 64 WindowsForsApp2.jpg.exe cmd.exe PID 64 wrote to memory of 2772 64 WindowsForsApp2.jpg.exe cmd.exe PID 64 wrote to memory of 2772 64 WindowsForsApp2.jpg.exe cmd.exe PID 64 wrote to memory of 2772 64 WindowsForsApp2.jpg.exe cmd.exe PID 1292 wrote to memory of 992 1292 cmd.exe schtasks.exe PID 1292 wrote to memory of 992 1292 cmd.exe schtasks.exe PID 1292 wrote to memory of 992 1292 cmd.exe schtasks.exe PID 2772 wrote to memory of 1504 2772 cmd.exe timeout.exe PID 2772 wrote to memory of 1504 2772 cmd.exe timeout.exe PID 2772 wrote to memory of 1504 2772 cmd.exe timeout.exe PID 2772 wrote to memory of 1172 2772 cmd.exe tax refund.exe PID 2772 wrote to memory of 1172 2772 cmd.exe tax refund.exe PID 2772 wrote to memory of 1172 2772 cmd.exe tax refund.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\WindowsForsApp2.jpg.exe"C:\Users\Admin\AppData\Local\Temp\WindowsForsApp2.jpg.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "tax refund" /tr '"C:\Users\Admin\AppData\Roaming\tax refund.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "tax refund" /tr '"C:\Users\Admin\AppData\Roaming\tax refund.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA752.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\tax refund.exe"C:\Users\Admin\AppData\Roaming\tax refund.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpA752.tmp.batMD5
07723338064106cb0bc55f056c2bf4c6
SHA19e2184b6a334056e17e89ab5417137314a74c82e
SHA25607ad568e9b9b8faa700269ee5f3b03f8cbbc99807a32c765c352a5db2c519617
SHA5123ca8058d54fd269300fe5fbf439193aa77b95647eadd34cbf6da7e076dd51635a7158fb51f6e8f0132d45d8580341f86840ad6d57feaf8d8b6fdf49d4bf26c44
-
C:\Users\Admin\AppData\Roaming\tax refund.exeMD5
d3a6b158e1e9696487764681659b132e
SHA15e55263eda3d62389ca0f8e08a75a65e1afd7e40
SHA256ce0530832a781bd0ca193f10973c554c051cbebd189339c2ff31b60638914a89
SHA512ecb4e7320979490e219a71812c640af8c2f9ac9303b7c16993961c4f89c23c49f3620cd0940f36cc69371df0386582f6ac7204d07d14cae6e0271956416c234f
-
C:\Users\Admin\AppData\Roaming\tax refund.exeMD5
d3a6b158e1e9696487764681659b132e
SHA15e55263eda3d62389ca0f8e08a75a65e1afd7e40
SHA256ce0530832a781bd0ca193f10973c554c051cbebd189339c2ff31b60638914a89
SHA512ecb4e7320979490e219a71812c640af8c2f9ac9303b7c16993961c4f89c23c49f3620cd0940f36cc69371df0386582f6ac7204d07d14cae6e0271956416c234f
-
memory/64-5-0x0000000005500000-0x0000000005501000-memory.dmpFilesize
4KB
-
memory/64-3-0x0000000000A00000-0x0000000000A01000-memory.dmpFilesize
4KB
-
memory/64-2-0x0000000073200000-0x00000000738EE000-memory.dmpFilesize
6.9MB
-
memory/992-9-0x0000000000000000-mapping.dmp
-
memory/1172-11-0x0000000000000000-mapping.dmp
-
memory/1172-14-0x0000000073150000-0x000000007383E000-memory.dmpFilesize
6.9MB
-
memory/1172-18-0x0000000005A00000-0x0000000005A01000-memory.dmpFilesize
4KB
-
memory/1172-19-0x00000000055D0000-0x00000000055D1000-memory.dmpFilesize
4KB
-
memory/1292-6-0x0000000000000000-mapping.dmp
-
memory/1504-10-0x0000000000000000-mapping.dmp
-
memory/2772-7-0x0000000000000000-mapping.dmp