Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
15-01-2021 19:39
Static task
static1
Behavioral task
behavioral1
Sample
INV_FG59.EXE
Resource
win7v20201028
Behavioral task
behavioral2
Sample
INV_FG59.EXE
Resource
win10v20201028
General
-
Target
INV_FG59.EXE
-
Size
1.2MB
-
MD5
97995b3f92bf70117841d386fe556497
-
SHA1
b817858dbe60a1975adbb7fa00524a65f38077e0
-
SHA256
02d0d2a6ee7f1e728599f0e16ff5bb3618a67fd63d0cb1f20a90ac2fe8eca670
-
SHA512
ab4a84fcd4b1bc7f73a22f671d65cb3ba2c5c396fc88d1db23cd641467961186fbfe530288e1fb548170b7af9bffbc620ca486d86ae5629908f64241246b8399
Malware Config
Extracted
asyncrat
0.5.7B
54.36.220.171:7707
54.36.220.171:8808
54.36.220.171:5050
Mutex_6SI8OkPnk
-
aes_key
DiOIHNqQSoNMUZLXqq4Zuqb1foyxPfJ1
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
last_Last
-
host
54.36.220.171
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
Mutex_6SI8OkPnk
-
pastebin_config
null
-
port
7707,8808,5050
-
version
0.5.7B
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
INV_FG59.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\INV_FG59.EXE\"" INV_FG59.EXE -
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2656-16-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral2/memory/2656-17-0x000000000040C6DE-mapping.dmp asyncrat -
Drops startup file 2 IoCs
Processes:
INV_FG59.EXEdescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INV_FG59.EXE INV_FG59.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INV_FG59.EXE INV_FG59.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
INV_FG59.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\INV_FG59.EXE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\INV_FG59.EXE" INV_FG59.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\INV_FG59.EXE" INV_FG59.EXE -
Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
Processes:
INV_FG59.EXEpid process 652 INV_FG59.EXE 652 INV_FG59.EXE 652 INV_FG59.EXE 652 INV_FG59.EXE 652 INV_FG59.EXE 652 INV_FG59.EXE 652 INV_FG59.EXE 652 INV_FG59.EXE 652 INV_FG59.EXE 652 INV_FG59.EXE 652 INV_FG59.EXE 652 INV_FG59.EXE 652 INV_FG59.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
INV_FG59.EXEdescription pid process target process PID 652 set thread context of 2656 652 INV_FG59.EXE regsvcs.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3808 652 WerFault.exe INV_FG59.EXE -
Delays execution with timeout.exe 3 IoCs
Processes:
timeout.exetimeout.exetimeout.exepid process 2728 timeout.exe 3548 timeout.exe 1500 timeout.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
INV_FG59.EXEWerFault.exepid process 652 INV_FG59.EXE 652 INV_FG59.EXE 652 INV_FG59.EXE 3808 WerFault.exe 3808 WerFault.exe 3808 WerFault.exe 3808 WerFault.exe 3808 WerFault.exe 3808 WerFault.exe 3808 WerFault.exe 3808 WerFault.exe 3808 WerFault.exe 3808 WerFault.exe 3808 WerFault.exe 3808 WerFault.exe 3808 WerFault.exe 3808 WerFault.exe 3808 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
INV_FG59.EXEWerFault.exeregsvcs.exedescription pid process Token: SeDebugPrivilege 652 INV_FG59.EXE Token: SeRestorePrivilege 3808 WerFault.exe Token: SeBackupPrivilege 3808 WerFault.exe Token: SeDebugPrivilege 3808 WerFault.exe Token: SeDebugPrivilege 2656 regsvcs.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
INV_FG59.EXEcmd.execmd.execmd.exedescription pid process target process PID 652 wrote to memory of 3272 652 INV_FG59.EXE cmd.exe PID 652 wrote to memory of 3272 652 INV_FG59.EXE cmd.exe PID 652 wrote to memory of 3272 652 INV_FG59.EXE cmd.exe PID 3272 wrote to memory of 2728 3272 cmd.exe timeout.exe PID 3272 wrote to memory of 2728 3272 cmd.exe timeout.exe PID 3272 wrote to memory of 2728 3272 cmd.exe timeout.exe PID 652 wrote to memory of 2136 652 INV_FG59.EXE cmd.exe PID 652 wrote to memory of 2136 652 INV_FG59.EXE cmd.exe PID 652 wrote to memory of 2136 652 INV_FG59.EXE cmd.exe PID 2136 wrote to memory of 3548 2136 cmd.exe timeout.exe PID 2136 wrote to memory of 3548 2136 cmd.exe timeout.exe PID 2136 wrote to memory of 3548 2136 cmd.exe timeout.exe PID 652 wrote to memory of 636 652 INV_FG59.EXE cmd.exe PID 652 wrote to memory of 636 652 INV_FG59.EXE cmd.exe PID 652 wrote to memory of 636 652 INV_FG59.EXE cmd.exe PID 636 wrote to memory of 1500 636 cmd.exe timeout.exe PID 636 wrote to memory of 1500 636 cmd.exe timeout.exe PID 636 wrote to memory of 1500 636 cmd.exe timeout.exe PID 652 wrote to memory of 2656 652 INV_FG59.EXE regsvcs.exe PID 652 wrote to memory of 2656 652 INV_FG59.EXE regsvcs.exe PID 652 wrote to memory of 2656 652 INV_FG59.EXE regsvcs.exe PID 652 wrote to memory of 2656 652 INV_FG59.EXE regsvcs.exe PID 652 wrote to memory of 2656 652 INV_FG59.EXE regsvcs.exe PID 652 wrote to memory of 2656 652 INV_FG59.EXE regsvcs.exe PID 652 wrote to memory of 2656 652 INV_FG59.EXE regsvcs.exe PID 652 wrote to memory of 2656 652 INV_FG59.EXE regsvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INV_FG59.EXE"C:\Users\Admin\AppData\Local\Temp\INV_FG59.EXE"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 16002⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/636-14-0x0000000000000000-mapping.dmp
-
memory/652-3-0x0000000000550000-0x0000000000551000-memory.dmpFilesize
4KB
-
memory/652-5-0x0000000005040000-0x0000000005041000-memory.dmpFilesize
4KB
-
memory/652-6-0x00000000055E0000-0x00000000055E1000-memory.dmpFilesize
4KB
-
memory/652-7-0x00000000052C0000-0x00000000052C1000-memory.dmpFilesize
4KB
-
memory/652-8-0x0000000005020000-0x0000000005021000-memory.dmpFilesize
4KB
-
memory/652-9-0x00000000051E0000-0x0000000005206000-memory.dmpFilesize
152KB
-
memory/652-2-0x0000000073FF0000-0x00000000746DE000-memory.dmpFilesize
6.9MB
-
memory/1500-15-0x0000000000000000-mapping.dmp
-
memory/2136-12-0x0000000000000000-mapping.dmp
-
memory/2656-16-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2656-17-0x000000000040C6DE-mapping.dmp
-
memory/2656-18-0x0000000073FF0000-0x00000000746DE000-memory.dmpFilesize
6.9MB
-
memory/2656-26-0x0000000005840000-0x0000000005841000-memory.dmpFilesize
4KB
-
memory/2728-11-0x0000000000000000-mapping.dmp
-
memory/3272-10-0x0000000000000000-mapping.dmp
-
memory/3548-13-0x0000000000000000-mapping.dmp
-
memory/3808-21-0x0000000004BB0000-0x0000000004BB1000-memory.dmpFilesize
4KB