Analysis
-
max time kernel
43s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
19-04-2021 13:16
Static task
static1
Behavioral task
behavioral1
Sample
e-dekont.pdf.exe
Resource
win7v20210410
General
-
Target
e-dekont.pdf.exe
-
Size
675KB
-
MD5
231032805835e5992d7be55cd281e28a
-
SHA1
a32819de35a59c23dad01c62fbb1be5a2a96fa19
-
SHA256
57dc7782af4f8595d5663d6308cf8f132ba09efe1fb53d7573ccfa298a33ed7a
-
SHA512
be6d5dca1f03d292a1f907cc7d11a85500cc315e4b8bd3fb25e63cdb6105399679e5ab3f626dd0eeb91e30df1be6264de43ee27d2187043fa5cd8fb54e544971
Malware Config
Extracted
asyncrat
0.5.7B
194.156.90.31:5004
AsyncMutex_6SI8OkPnk
-
aes_key
HDFxJ480h98cocmnXczBVateXyWu1kTP
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
194.156.90.31
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
5004
-
version
0.5.7B
Signatures
-
Async RAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/300-68-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/300-69-0x000000000040C71E-mapping.dmp asyncrat behavioral1/memory/300-70-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Suspicious use of SetThreadContext 1 IoCs
Processes:
e-dekont.pdf.exedescription pid process target process PID 1084 set thread context of 300 1084 e-dekont.pdf.exe e-dekont.pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
e-dekont.pdf.exepid process 1084 e-dekont.pdf.exe 1084 e-dekont.pdf.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
e-dekont.pdf.exee-dekont.pdf.exedescription pid process Token: SeDebugPrivilege 1084 e-dekont.pdf.exe Token: SeDebugPrivilege 300 e-dekont.pdf.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
e-dekont.pdf.exedescription pid process target process PID 1084 wrote to memory of 1768 1084 e-dekont.pdf.exe schtasks.exe PID 1084 wrote to memory of 1768 1084 e-dekont.pdf.exe schtasks.exe PID 1084 wrote to memory of 1768 1084 e-dekont.pdf.exe schtasks.exe PID 1084 wrote to memory of 1768 1084 e-dekont.pdf.exe schtasks.exe PID 1084 wrote to memory of 728 1084 e-dekont.pdf.exe e-dekont.pdf.exe PID 1084 wrote to memory of 728 1084 e-dekont.pdf.exe e-dekont.pdf.exe PID 1084 wrote to memory of 728 1084 e-dekont.pdf.exe e-dekont.pdf.exe PID 1084 wrote to memory of 728 1084 e-dekont.pdf.exe e-dekont.pdf.exe PID 1084 wrote to memory of 300 1084 e-dekont.pdf.exe e-dekont.pdf.exe PID 1084 wrote to memory of 300 1084 e-dekont.pdf.exe e-dekont.pdf.exe PID 1084 wrote to memory of 300 1084 e-dekont.pdf.exe e-dekont.pdf.exe PID 1084 wrote to memory of 300 1084 e-dekont.pdf.exe e-dekont.pdf.exe PID 1084 wrote to memory of 300 1084 e-dekont.pdf.exe e-dekont.pdf.exe PID 1084 wrote to memory of 300 1084 e-dekont.pdf.exe e-dekont.pdf.exe PID 1084 wrote to memory of 300 1084 e-dekont.pdf.exe e-dekont.pdf.exe PID 1084 wrote to memory of 300 1084 e-dekont.pdf.exe e-dekont.pdf.exe PID 1084 wrote to memory of 300 1084 e-dekont.pdf.exe e-dekont.pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e-dekont.pdf.exe"C:\Users\Admin\AppData\Local\Temp\e-dekont.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nzwowTPIzFjlO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8E7A.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\e-dekont.pdf.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\e-dekont.pdf.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp8E7A.tmpMD5
615c78455536acc8e75328b7e40907f8
SHA12c4d585301952df4ad2147ffb327539f59001fb3
SHA256a0c31226d24bf72356db33632fd3aefa6583927d13945c655bf475fb57842fe7
SHA5124ba429d5cfdae864c9a7b06b36809b8d9bffe22a548d03e327718b8e855a682385e5a697875282b46bf172db74872acfe921f68cc3735acc4a1ebf88ad0b4f3c
-
memory/300-73-0x0000000004ED0000-0x0000000004ED1000-memory.dmpFilesize
4KB
-
memory/300-72-0x00000000752F1000-0x00000000752F3000-memory.dmpFilesize
8KB
-
memory/300-70-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/300-69-0x000000000040C71E-mapping.dmp
-
memory/300-68-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1084-63-0x000000007EF40000-0x000000007EF41000-memory.dmpFilesize
4KB
-
memory/1084-65-0x00000000004C0000-0x0000000000517000-memory.dmpFilesize
348KB
-
memory/1084-64-0x0000000009070000-0x0000000009117000-memory.dmpFilesize
668KB
-
memory/1084-59-0x0000000001040000-0x0000000001041000-memory.dmpFilesize
4KB
-
memory/1084-62-0x0000000000560000-0x0000000000565000-memory.dmpFilesize
20KB
-
memory/1084-61-0x0000000004A80000-0x0000000004A81000-memory.dmpFilesize
4KB
-
memory/1768-66-0x0000000000000000-mapping.dmp