Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
15-01-2021 19:39
Static task
static1
Behavioral task
behavioral1
Sample
INV_FG59.EXE
Resource
win7v20201028
Behavioral task
behavioral2
Sample
INV_FG59.EXE
Resource
win10v20201028
General
-
Target
INV_FG59.EXE
-
Size
1.2MB
-
MD5
97995b3f92bf70117841d386fe556497
-
SHA1
b817858dbe60a1975adbb7fa00524a65f38077e0
-
SHA256
02d0d2a6ee7f1e728599f0e16ff5bb3618a67fd63d0cb1f20a90ac2fe8eca670
-
SHA512
ab4a84fcd4b1bc7f73a22f671d65cb3ba2c5c396fc88d1db23cd641467961186fbfe530288e1fb548170b7af9bffbc620ca486d86ae5629908f64241246b8399
Malware Config
Extracted
asyncrat
0.5.7B
54.36.220.171:7707
54.36.220.171:8808
54.36.220.171:5050
Mutex_6SI8OkPnk
-
aes_key
DiOIHNqQSoNMUZLXqq4Zuqb1foyxPfJ1
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
last_Last
-
host
54.36.220.171
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
Mutex_6SI8OkPnk
-
pastebin_config
null
-
port
7707,8808,5050
-
version
0.5.7B
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
INV_FG59.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\INV_FG59.EXE\"" INV_FG59.EXE -
Async RAT payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/624-20-0x000000000040C6DE-mapping.dmp asyncrat behavioral1/memory/624-19-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/624-21-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/624-22-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Drops startup file 2 IoCs
Processes:
INV_FG59.EXEdescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INV_FG59.EXE INV_FG59.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INV_FG59.EXE INV_FG59.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
INV_FG59.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\INV_FG59.EXE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\INV_FG59.EXE" INV_FG59.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\INV_FG59.EXE" INV_FG59.EXE -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
INV_FG59.EXEpid process 1036 INV_FG59.EXE 1036 INV_FG59.EXE 1036 INV_FG59.EXE 1036 INV_FG59.EXE 1036 INV_FG59.EXE 1036 INV_FG59.EXE 1036 INV_FG59.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
INV_FG59.EXEdescription pid process target process PID 1036 set thread context of 624 1036 INV_FG59.EXE regsvcs.exe -
Delays execution with timeout.exe 3 IoCs
Processes:
timeout.exetimeout.exetimeout.exepid process 296 timeout.exe 828 timeout.exe 1400 timeout.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
INV_FG59.EXEpid process 1036 INV_FG59.EXE 1036 INV_FG59.EXE 1036 INV_FG59.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
INV_FG59.EXEregsvcs.exedescription pid process Token: SeDebugPrivilege 1036 INV_FG59.EXE Token: SeDebugPrivilege 624 regsvcs.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
INV_FG59.EXEcmd.execmd.execmd.exedescription pid process target process PID 1036 wrote to memory of 1684 1036 INV_FG59.EXE cmd.exe PID 1036 wrote to memory of 1684 1036 INV_FG59.EXE cmd.exe PID 1036 wrote to memory of 1684 1036 INV_FG59.EXE cmd.exe PID 1036 wrote to memory of 1684 1036 INV_FG59.EXE cmd.exe PID 1684 wrote to memory of 1400 1684 cmd.exe timeout.exe PID 1684 wrote to memory of 1400 1684 cmd.exe timeout.exe PID 1684 wrote to memory of 1400 1684 cmd.exe timeout.exe PID 1684 wrote to memory of 1400 1684 cmd.exe timeout.exe PID 1036 wrote to memory of 1660 1036 INV_FG59.EXE cmd.exe PID 1036 wrote to memory of 1660 1036 INV_FG59.EXE cmd.exe PID 1036 wrote to memory of 1660 1036 INV_FG59.EXE cmd.exe PID 1036 wrote to memory of 1660 1036 INV_FG59.EXE cmd.exe PID 1660 wrote to memory of 296 1660 cmd.exe timeout.exe PID 1660 wrote to memory of 296 1660 cmd.exe timeout.exe PID 1660 wrote to memory of 296 1660 cmd.exe timeout.exe PID 1660 wrote to memory of 296 1660 cmd.exe timeout.exe PID 1036 wrote to memory of 1484 1036 INV_FG59.EXE cmd.exe PID 1036 wrote to memory of 1484 1036 INV_FG59.EXE cmd.exe PID 1036 wrote to memory of 1484 1036 INV_FG59.EXE cmd.exe PID 1036 wrote to memory of 1484 1036 INV_FG59.EXE cmd.exe PID 1484 wrote to memory of 828 1484 cmd.exe timeout.exe PID 1484 wrote to memory of 828 1484 cmd.exe timeout.exe PID 1484 wrote to memory of 828 1484 cmd.exe timeout.exe PID 1484 wrote to memory of 828 1484 cmd.exe timeout.exe PID 1036 wrote to memory of 624 1036 INV_FG59.EXE regsvcs.exe PID 1036 wrote to memory of 624 1036 INV_FG59.EXE regsvcs.exe PID 1036 wrote to memory of 624 1036 INV_FG59.EXE regsvcs.exe PID 1036 wrote to memory of 624 1036 INV_FG59.EXE regsvcs.exe PID 1036 wrote to memory of 624 1036 INV_FG59.EXE regsvcs.exe PID 1036 wrote to memory of 624 1036 INV_FG59.EXE regsvcs.exe PID 1036 wrote to memory of 624 1036 INV_FG59.EXE regsvcs.exe PID 1036 wrote to memory of 624 1036 INV_FG59.EXE regsvcs.exe PID 1036 wrote to memory of 624 1036 INV_FG59.EXE regsvcs.exe PID 1036 wrote to memory of 624 1036 INV_FG59.EXE regsvcs.exe PID 1036 wrote to memory of 624 1036 INV_FG59.EXE regsvcs.exe PID 1036 wrote to memory of 624 1036 INV_FG59.EXE regsvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INV_FG59.EXE"C:\Users\Admin\AppData\Local\Temp\INV_FG59.EXE"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/296-16-0x0000000000000000-mapping.dmp
-
memory/624-19-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/624-22-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/624-24-0x0000000074900000-0x0000000074FEE000-memory.dmpFilesize
6.9MB
-
memory/624-20-0x000000000040C6DE-mapping.dmp
-
memory/624-21-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/828-18-0x0000000000000000-mapping.dmp
-
memory/1036-10-0x0000000000570000-0x0000000000581000-memory.dmpFilesize
68KB
-
memory/1036-12-0x0000000000500000-0x0000000000526000-memory.dmpFilesize
152KB
-
memory/1036-3-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1036-5-0x0000000000570000-0x0000000000581000-memory.dmpFilesize
68KB
-
memory/1036-23-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/1036-2-0x0000000074900000-0x0000000074FEE000-memory.dmpFilesize
6.9MB
-
memory/1400-14-0x0000000000000000-mapping.dmp
-
memory/1484-17-0x0000000000000000-mapping.dmp
-
memory/1660-15-0x0000000000000000-mapping.dmp
-
memory/1684-13-0x0000000000000000-mapping.dmp