Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-04-2021 01:56
Static task
static1
Behavioral task
behavioral1
Sample
DHL Delivery Invoice AWB 2774038374.pdf.exe
Resource
win7v20210410
General
-
Target
DHL Delivery Invoice AWB 2774038374.pdf.exe
-
Size
786KB
-
MD5
d743cbe63d8fbd4f86cc5606c22147a6
-
SHA1
dac98cb344e90b0e9872a8fee8df8e30c884fc90
-
SHA256
153539010b81b41dcbd4cf3932a91e8e3fe2cb8a077dcbce4be08dce7fa5091c
-
SHA512
553799f270fa11b6437c7c1066359db33de7c54eea0d1821bf4d721b5d54c69af24ee66bdc9b86f30ce14af3603a0ebf87a53166b5d84c38a904e87a6a83f16d
Malware Config
Extracted
asyncrat
0.5.7B
vladmir001.myddns.me:6381
AsyncMutex_6SI8OkPnk
-
aes_key
4JaeOmABEr7aogISnRFvR85Emmylke5f
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
vladmir001.myddns.me
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
6381
-
version
0.5.7B
Signatures
-
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/496-127-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral2/memory/496-128-0x000000000040C73E-mapping.dmp asyncrat -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DHL Delivery Invoice AWB 2774038374.pdf.exedescription pid process target process PID 1000 set thread context of 496 1000 DHL Delivery Invoice AWB 2774038374.pdf.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
DHL Delivery Invoice AWB 2774038374.pdf.exepid process 1000 DHL Delivery Invoice AWB 2774038374.pdf.exe 1000 DHL Delivery Invoice AWB 2774038374.pdf.exe 1000 DHL Delivery Invoice AWB 2774038374.pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
DHL Delivery Invoice AWB 2774038374.pdf.exedescription pid process Token: SeDebugPrivilege 1000 DHL Delivery Invoice AWB 2774038374.pdf.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
DHL Delivery Invoice AWB 2774038374.pdf.exedescription pid process target process PID 1000 wrote to memory of 412 1000 DHL Delivery Invoice AWB 2774038374.pdf.exe schtasks.exe PID 1000 wrote to memory of 412 1000 DHL Delivery Invoice AWB 2774038374.pdf.exe schtasks.exe PID 1000 wrote to memory of 412 1000 DHL Delivery Invoice AWB 2774038374.pdf.exe schtasks.exe PID 1000 wrote to memory of 496 1000 DHL Delivery Invoice AWB 2774038374.pdf.exe RegSvcs.exe PID 1000 wrote to memory of 496 1000 DHL Delivery Invoice AWB 2774038374.pdf.exe RegSvcs.exe PID 1000 wrote to memory of 496 1000 DHL Delivery Invoice AWB 2774038374.pdf.exe RegSvcs.exe PID 1000 wrote to memory of 496 1000 DHL Delivery Invoice AWB 2774038374.pdf.exe RegSvcs.exe PID 1000 wrote to memory of 496 1000 DHL Delivery Invoice AWB 2774038374.pdf.exe RegSvcs.exe PID 1000 wrote to memory of 496 1000 DHL Delivery Invoice AWB 2774038374.pdf.exe RegSvcs.exe PID 1000 wrote to memory of 496 1000 DHL Delivery Invoice AWB 2774038374.pdf.exe RegSvcs.exe PID 1000 wrote to memory of 496 1000 DHL Delivery Invoice AWB 2774038374.pdf.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL Delivery Invoice AWB 2774038374.pdf.exe"C:\Users\Admin\AppData\Local\Temp\DHL Delivery Invoice AWB 2774038374.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kTeyOdy" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF9C.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpF9C.tmpMD5
e515e937d083a071bfcc5aed00cfdbf1
SHA12ab20ffe4adbb90be98a57e011fb8f086f425121
SHA256ead1b87fd173cce1e723e80ce851583d361e774b1836a40f53057488464548f9
SHA512cebe68ad0c6d3b4cdc8ce98684131b4d08747235aa0fcedd1c1cc1f85279cf08e0fbae8a3d223c6140f7fe3f3d0f735f58b2c1e9eb48603a53a306af0edf9b29
-
memory/412-125-0x0000000000000000-mapping.dmp
-
memory/496-131-0x00000000055D0000-0x00000000055D1000-memory.dmpFilesize
4KB
-
memory/496-128-0x000000000040C73E-mapping.dmp
-
memory/496-127-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1000-121-0x0000000005730000-0x0000000005C2E000-memory.dmpFilesize
5.0MB
-
memory/1000-114-0x0000000000D50000-0x0000000000D51000-memory.dmpFilesize
4KB
-
memory/1000-122-0x0000000005C20000-0x0000000005C29000-memory.dmpFilesize
36KB
-
memory/1000-123-0x00000000016B0000-0x0000000001717000-memory.dmpFilesize
412KB
-
memory/1000-124-0x0000000001770000-0x0000000001790000-memory.dmpFilesize
128KB
-
memory/1000-120-0x0000000005930000-0x0000000005931000-memory.dmpFilesize
4KB
-
memory/1000-119-0x00000000056D0000-0x00000000056D1000-memory.dmpFilesize
4KB
-
memory/1000-118-0x00000000057D0000-0x00000000057D1000-memory.dmpFilesize
4KB
-
memory/1000-117-0x0000000005C30000-0x0000000005C31000-memory.dmpFilesize
4KB
-
memory/1000-116-0x0000000005620000-0x0000000005621000-memory.dmpFilesize
4KB