Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
21-04-2021 01:56
Static task
static1
Behavioral task
behavioral1
Sample
DHL Delivery Invoice AWB 2774038374.pdf.exe
Resource
win7v20210410
General
-
Target
DHL Delivery Invoice AWB 2774038374.pdf.exe
-
Size
786KB
-
MD5
d743cbe63d8fbd4f86cc5606c22147a6
-
SHA1
dac98cb344e90b0e9872a8fee8df8e30c884fc90
-
SHA256
153539010b81b41dcbd4cf3932a91e8e3fe2cb8a077dcbce4be08dce7fa5091c
-
SHA512
553799f270fa11b6437c7c1066359db33de7c54eea0d1821bf4d721b5d54c69af24ee66bdc9b86f30ce14af3603a0ebf87a53166b5d84c38a904e87a6a83f16d
Malware Config
Extracted
asyncrat
0.5.7B
vladmir001.myddns.me:6381
AsyncMutex_6SI8OkPnk
-
aes_key
4JaeOmABEr7aogISnRFvR85Emmylke5f
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
vladmir001.myddns.me
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
6381
-
version
0.5.7B
Signatures
-
Async RAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/852-68-0x000000000040C73E-mapping.dmp asyncrat behavioral1/memory/852-67-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/852-69-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DHL Delivery Invoice AWB 2774038374.pdf.exedescription pid process target process PID 2004 set thread context of 852 2004 DHL Delivery Invoice AWB 2774038374.pdf.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
DHL Delivery Invoice AWB 2774038374.pdf.exepid process 2004 DHL Delivery Invoice AWB 2774038374.pdf.exe 2004 DHL Delivery Invoice AWB 2774038374.pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
DHL Delivery Invoice AWB 2774038374.pdf.exedescription pid process Token: SeDebugPrivilege 2004 DHL Delivery Invoice AWB 2774038374.pdf.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
DHL Delivery Invoice AWB 2774038374.pdf.exedescription pid process target process PID 2004 wrote to memory of 1688 2004 DHL Delivery Invoice AWB 2774038374.pdf.exe schtasks.exe PID 2004 wrote to memory of 1688 2004 DHL Delivery Invoice AWB 2774038374.pdf.exe schtasks.exe PID 2004 wrote to memory of 1688 2004 DHL Delivery Invoice AWB 2774038374.pdf.exe schtasks.exe PID 2004 wrote to memory of 1688 2004 DHL Delivery Invoice AWB 2774038374.pdf.exe schtasks.exe PID 2004 wrote to memory of 852 2004 DHL Delivery Invoice AWB 2774038374.pdf.exe RegSvcs.exe PID 2004 wrote to memory of 852 2004 DHL Delivery Invoice AWB 2774038374.pdf.exe RegSvcs.exe PID 2004 wrote to memory of 852 2004 DHL Delivery Invoice AWB 2774038374.pdf.exe RegSvcs.exe PID 2004 wrote to memory of 852 2004 DHL Delivery Invoice AWB 2774038374.pdf.exe RegSvcs.exe PID 2004 wrote to memory of 852 2004 DHL Delivery Invoice AWB 2774038374.pdf.exe RegSvcs.exe PID 2004 wrote to memory of 852 2004 DHL Delivery Invoice AWB 2774038374.pdf.exe RegSvcs.exe PID 2004 wrote to memory of 852 2004 DHL Delivery Invoice AWB 2774038374.pdf.exe RegSvcs.exe PID 2004 wrote to memory of 852 2004 DHL Delivery Invoice AWB 2774038374.pdf.exe RegSvcs.exe PID 2004 wrote to memory of 852 2004 DHL Delivery Invoice AWB 2774038374.pdf.exe RegSvcs.exe PID 2004 wrote to memory of 852 2004 DHL Delivery Invoice AWB 2774038374.pdf.exe RegSvcs.exe PID 2004 wrote to memory of 852 2004 DHL Delivery Invoice AWB 2774038374.pdf.exe RegSvcs.exe PID 2004 wrote to memory of 852 2004 DHL Delivery Invoice AWB 2774038374.pdf.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL Delivery Invoice AWB 2774038374.pdf.exe"C:\Users\Admin\AppData\Local\Temp\DHL Delivery Invoice AWB 2774038374.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kTeyOdy" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB6B2.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpB6B2.tmpMD5
fb2f7fc38b74df425406d0be3be97d77
SHA186902991bd431459d7e126dc585263fff494e1cb
SHA2568a254e983241fd5bbc276f65c8bd7e713488c362e5e471a288ac018632eb1e2a
SHA512154dd157f45263d953a059121b0588b43acf676f0b29e9b5924551b03f7ed1acc3fd0b2e49c7e3ecc27d42ec37fcbaf841ca757c454c84204f6ea0932b12ce19
-
memory/852-68-0x000000000040C73E-mapping.dmp
-
memory/852-67-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/852-69-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/852-71-0x00000000765F1000-0x00000000765F3000-memory.dmpFilesize
8KB
-
memory/852-72-0x0000000000E40000-0x0000000000E41000-memory.dmpFilesize
4KB
-
memory/1688-65-0x0000000000000000-mapping.dmp
-
memory/2004-59-0x0000000000A70000-0x0000000000A71000-memory.dmpFilesize
4KB
-
memory/2004-61-0x0000000004CC0000-0x0000000004CC1000-memory.dmpFilesize
4KB
-
memory/2004-62-0x0000000000480000-0x0000000000489000-memory.dmpFilesize
36KB
-
memory/2004-63-0x0000000004C30000-0x0000000004C97000-memory.dmpFilesize
412KB
-
memory/2004-64-0x00000000006F0000-0x0000000000710000-memory.dmpFilesize
128KB