Analysis
-
max time kernel
32s -
max time network
146s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
21-04-2021 18:02
Static task
static1
Behavioral task
behavioral1
Sample
b0fe18bb22689fb4fe51f4dc5122e31d.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
b0fe18bb22689fb4fe51f4dc5122e31d.exe
Resource
win10v20210410
General
-
Target
b0fe18bb22689fb4fe51f4dc5122e31d.exe
-
Size
350KB
-
MD5
b0fe18bb22689fb4fe51f4dc5122e31d
-
SHA1
9d6d249108d971a79a7f2b575ac33f6062db0d35
-
SHA256
b33514e7b334b8aee694323114c7d2694f3cdb49c7614291ca8f064c23ff8542
-
SHA512
9ed0ec74b0cff542f0a4c94e8bd895d73471b631d06338eddaaa6b10d62d38c02d7d951bf052d5fc7f86ee82bef625965a20933c3f64516b6d901e24b144e116
Malware Config
Extracted
asyncrat
:
- aes_key
- anti_detection
- autorun
- bdos
- delay
- host
-
hwid
Write
- install_file
-
install_folder
9wtf8vJWrK9n5Pvmm3.PdjESA4ZeMeJJbLWA4
- mutex
- pastebin_config
- port
- version
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MSBuild.exepid process 748 MSBuild.exe -
Loads dropped DLL 1 IoCs
Processes:
b0fe18bb22689fb4fe51f4dc5122e31d.exepid process 1072 b0fe18bb22689fb4fe51f4dc5122e31d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
b0fe18bb22689fb4fe51f4dc5122e31d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\azfgbcd = "\"C:\\Users\\Admin\\AppData\\Roaming\\azfgbcd.exe\"" b0fe18bb22689fb4fe51f4dc5122e31d.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
b0fe18bb22689fb4fe51f4dc5122e31d.exedescription pid process target process PID 1072 set thread context of 748 1072 b0fe18bb22689fb4fe51f4dc5122e31d.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
b0fe18bb22689fb4fe51f4dc5122e31d.exepid process 1072 b0fe18bb22689fb4fe51f4dc5122e31d.exe 1072 b0fe18bb22689fb4fe51f4dc5122e31d.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
b0fe18bb22689fb4fe51f4dc5122e31d.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 1072 b0fe18bb22689fb4fe51f4dc5122e31d.exe Token: SeDebugPrivilege 748 MSBuild.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
b0fe18bb22689fb4fe51f4dc5122e31d.exedescription pid process target process PID 1072 wrote to memory of 748 1072 b0fe18bb22689fb4fe51f4dc5122e31d.exe MSBuild.exe PID 1072 wrote to memory of 748 1072 b0fe18bb22689fb4fe51f4dc5122e31d.exe MSBuild.exe PID 1072 wrote to memory of 748 1072 b0fe18bb22689fb4fe51f4dc5122e31d.exe MSBuild.exe PID 1072 wrote to memory of 748 1072 b0fe18bb22689fb4fe51f4dc5122e31d.exe MSBuild.exe PID 1072 wrote to memory of 748 1072 b0fe18bb22689fb4fe51f4dc5122e31d.exe MSBuild.exe PID 1072 wrote to memory of 748 1072 b0fe18bb22689fb4fe51f4dc5122e31d.exe MSBuild.exe PID 1072 wrote to memory of 748 1072 b0fe18bb22689fb4fe51f4dc5122e31d.exe MSBuild.exe PID 1072 wrote to memory of 748 1072 b0fe18bb22689fb4fe51f4dc5122e31d.exe MSBuild.exe PID 1072 wrote to memory of 748 1072 b0fe18bb22689fb4fe51f4dc5122e31d.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0fe18bb22689fb4fe51f4dc5122e31d.exe"C:\Users\Admin\AppData\Local\Temp\b0fe18bb22689fb4fe51f4dc5122e31d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MSBuild.exeC:\Users\Admin\AppData\Local\Temp\MSBuild.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSBuild.exeMD5
9af17c8393f0970ee5136bd3ffa27001
SHA14b285b72c1a11285a25f31f2597e090da6bbc049
SHA25671d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
SHA512b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3
-
C:\Users\Admin\AppData\Local\Temp\MSBuild.exeMD5
9af17c8393f0970ee5136bd3ffa27001
SHA14b285b72c1a11285a25f31f2597e090da6bbc049
SHA25671d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
SHA512b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3
-
\Users\Admin\AppData\Local\Temp\MSBuild.exeMD5
9af17c8393f0970ee5136bd3ffa27001
SHA14b285b72c1a11285a25f31f2597e090da6bbc049
SHA25671d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
SHA512b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3
-
memory/748-66-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/748-67-0x000000000042571E-mapping.dmp
-
memory/748-70-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/748-72-0x0000000004D60000-0x0000000004D61000-memory.dmpFilesize
4KB
-
memory/1072-60-0x0000000000890000-0x0000000000891000-memory.dmpFilesize
4KB
-
memory/1072-62-0x00000000007B0000-0x00000000007B1000-memory.dmpFilesize
4KB
-
memory/1072-63-0x00000000004F0000-0x00000000004F2000-memory.dmpFilesize
8KB
-
memory/1072-64-0x0000000004720000-0x0000000004766000-memory.dmpFilesize
280KB