Analysis
-
max time kernel
132s -
max time network
141s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
06-05-2021 20:02
Static task
static1
Behavioral task
behavioral1
Sample
8D74E2EF18E68405319A1090D20A0674.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
8D74E2EF18E68405319A1090D20A0674.exe
Resource
win10v20210410
General
-
Target
8D74E2EF18E68405319A1090D20A0674.exe
-
Size
264KB
-
MD5
8d74e2ef18e68405319a1090d20a0674
-
SHA1
363c4e86dbf7f6ab65dcc79cedb07aa52ea12ed9
-
SHA256
2edc93f84e6911e5b86040964715868c82eb28c2b48cdbb2c72dee60cfe2f792
-
SHA512
6ab882ae5e24837037f3d18260f0b39f9f4b6110ebd2af86e14edebb6df201f389cc390e5af6213f5e93f1a238c55ace91910cf709dc82cfe709b6f49f958fd3
Malware Config
Extracted
asyncrat
0.5.7B
fact.azad.live:5380
societyf500.ddns.net:5380
AsyncMutex_6SI8OkPnk
-
aes_key
g5ATBHeFjqZicBQcW6MmoyX0Xhwz0tjW
-
anti_detection
false
-
autorun
true
-
bdos
false
-
delay
Default
-
host
fact.azad.live,societyf500.ddns.net
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
5380
-
version
0.5.7B
Signatures
-
Async RAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/848-65-0x0000000000400000-0x0000000000421000-memory.dmp asyncrat behavioral1/memory/848-66-0x0000000000320000-0x000000000032C000-memory.dmp asyncrat behavioral1/memory/1500-91-0x0000000000400000-0x0000000000421000-memory.dmp asyncrat -
Executes dropped EXE 2 IoCs
Processes:
dwm.exedwm.exepid process 428 dwm.exe 1500 dwm.exe -
Loads dropped DLL 3 IoCs
Processes:
8D74E2EF18E68405319A1090D20A0674.execmd.exedwm.exepid process 1996 8D74E2EF18E68405319A1090D20A0674.exe 1084 cmd.exe 428 dwm.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
8D74E2EF18E68405319A1090D20A0674.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\AppData\\dwm.exe" 8D74E2EF18E68405319A1090D20A0674.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
8D74E2EF18E68405319A1090D20A0674.exedwm.exedescription pid process target process PID 1996 set thread context of 848 1996 8D74E2EF18E68405319A1090D20A0674.exe 8D74E2EF18E68405319A1090D20A0674.exe PID 428 set thread context of 1500 428 dwm.exe dwm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 8 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\dwm.exe nsis_installer_1 \Users\Admin\AppData\Roaming\dwm.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\dwm.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\dwm.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\dwm.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\dwm.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\dwm.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\dwm.exe nsis_installer_2 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1780 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
8D74E2EF18E68405319A1090D20A0674.exepid process 848 8D74E2EF18E68405319A1090D20A0674.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
8D74E2EF18E68405319A1090D20A0674.exedwm.exepid process 1996 8D74E2EF18E68405319A1090D20A0674.exe 428 dwm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
8D74E2EF18E68405319A1090D20A0674.exedwm.exedescription pid process Token: SeDebugPrivilege 848 8D74E2EF18E68405319A1090D20A0674.exe Token: SeDebugPrivilege 1500 dwm.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
8D74E2EF18E68405319A1090D20A0674.exe8D74E2EF18E68405319A1090D20A0674.execmd.execmd.exedwm.exedescription pid process target process PID 1996 wrote to memory of 848 1996 8D74E2EF18E68405319A1090D20A0674.exe 8D74E2EF18E68405319A1090D20A0674.exe PID 1996 wrote to memory of 848 1996 8D74E2EF18E68405319A1090D20A0674.exe 8D74E2EF18E68405319A1090D20A0674.exe PID 1996 wrote to memory of 848 1996 8D74E2EF18E68405319A1090D20A0674.exe 8D74E2EF18E68405319A1090D20A0674.exe PID 1996 wrote to memory of 848 1996 8D74E2EF18E68405319A1090D20A0674.exe 8D74E2EF18E68405319A1090D20A0674.exe PID 1996 wrote to memory of 848 1996 8D74E2EF18E68405319A1090D20A0674.exe 8D74E2EF18E68405319A1090D20A0674.exe PID 848 wrote to memory of 1668 848 8D74E2EF18E68405319A1090D20A0674.exe cmd.exe PID 848 wrote to memory of 1668 848 8D74E2EF18E68405319A1090D20A0674.exe cmd.exe PID 848 wrote to memory of 1668 848 8D74E2EF18E68405319A1090D20A0674.exe cmd.exe PID 848 wrote to memory of 1668 848 8D74E2EF18E68405319A1090D20A0674.exe cmd.exe PID 848 wrote to memory of 1084 848 8D74E2EF18E68405319A1090D20A0674.exe cmd.exe PID 848 wrote to memory of 1084 848 8D74E2EF18E68405319A1090D20A0674.exe cmd.exe PID 848 wrote to memory of 1084 848 8D74E2EF18E68405319A1090D20A0674.exe cmd.exe PID 848 wrote to memory of 1084 848 8D74E2EF18E68405319A1090D20A0674.exe cmd.exe PID 1668 wrote to memory of 1896 1668 cmd.exe schtasks.exe PID 1668 wrote to memory of 1896 1668 cmd.exe schtasks.exe PID 1668 wrote to memory of 1896 1668 cmd.exe schtasks.exe PID 1668 wrote to memory of 1896 1668 cmd.exe schtasks.exe PID 1084 wrote to memory of 1780 1084 cmd.exe timeout.exe PID 1084 wrote to memory of 1780 1084 cmd.exe timeout.exe PID 1084 wrote to memory of 1780 1084 cmd.exe timeout.exe PID 1084 wrote to memory of 1780 1084 cmd.exe timeout.exe PID 1084 wrote to memory of 428 1084 cmd.exe dwm.exe PID 1084 wrote to memory of 428 1084 cmd.exe dwm.exe PID 1084 wrote to memory of 428 1084 cmd.exe dwm.exe PID 1084 wrote to memory of 428 1084 cmd.exe dwm.exe PID 428 wrote to memory of 1500 428 dwm.exe dwm.exe PID 428 wrote to memory of 1500 428 dwm.exe dwm.exe PID 428 wrote to memory of 1500 428 dwm.exe dwm.exe PID 428 wrote to memory of 1500 428 dwm.exe dwm.exe PID 428 wrote to memory of 1500 428 dwm.exe dwm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8D74E2EF18E68405319A1090D20A0674.exe"C:\Users\Admin\AppData\Local\Temp\8D74E2EF18E68405319A1090D20A0674.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8D74E2EF18E68405319A1090D20A0674.exe"C:\Users\Admin\AppData\Local\Temp\8D74E2EF18E68405319A1090D20A0674.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "dwm" /tr '"C:\Users\Admin\AppData\Roaming\dwm.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "dwm" /tr '"C:\Users\Admin\AppData\Roaming\dwm.exe"'4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp84A.tmp.bat""3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\dwm.exe"C:\Users\Admin\AppData\Roaming\dwm.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\dwm.exe"C:\Users\Admin\AppData\Roaming\dwm.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0ug8kkc9yylgslet6xhkMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\eg4qkktz6zveprMD5
6d77ea32f8214afe3278f446727ce728
SHA1fb08a5050eb2a586c65b0fb987bcb35830765dbd
SHA25638e8d892faa22377b1dcd14faee1652e50a404b81ec6b69467b1249a43b032f6
SHA512aa4fc073027d1f069c5313eb38901452ac3c84c3d7756930784c5321d5d569f504786ca336f67573ba7d4df3d67af5337b4f590c059b2024389eeba5849be2a3
-
C:\Users\Admin\AppData\Local\Temp\tmp84A.tmp.batMD5
50139ac1fb21973a3f2939f59f2f49e9
SHA13d8c012c996ba6a061aeaa6db17ac07397a3a92f
SHA25643ebd9965f0fdf52da19cac67c2218c17947746cc94aea446170202e38647d71
SHA512aa9d5ed077ea43f656a895dcceebdfbbc23de207cdbcfb62065ca059aa22f61bda5f1d00a94274b03ff36588ad0ce99e5b2eb6cbc73d906164255da0db584522
-
C:\Users\Admin\AppData\Roaming\dwm.exeMD5
8d74e2ef18e68405319a1090d20a0674
SHA1363c4e86dbf7f6ab65dcc79cedb07aa52ea12ed9
SHA2562edc93f84e6911e5b86040964715868c82eb28c2b48cdbb2c72dee60cfe2f792
SHA5126ab882ae5e24837037f3d18260f0b39f9f4b6110ebd2af86e14edebb6df201f389cc390e5af6213f5e93f1a238c55ace91910cf709dc82cfe709b6f49f958fd3
-
C:\Users\Admin\AppData\Roaming\dwm.exeMD5
8d74e2ef18e68405319a1090d20a0674
SHA1363c4e86dbf7f6ab65dcc79cedb07aa52ea12ed9
SHA2562edc93f84e6911e5b86040964715868c82eb28c2b48cdbb2c72dee60cfe2f792
SHA5126ab882ae5e24837037f3d18260f0b39f9f4b6110ebd2af86e14edebb6df201f389cc390e5af6213f5e93f1a238c55ace91910cf709dc82cfe709b6f49f958fd3
-
C:\Users\Admin\AppData\Roaming\dwm.exeMD5
8d74e2ef18e68405319a1090d20a0674
SHA1363c4e86dbf7f6ab65dcc79cedb07aa52ea12ed9
SHA2562edc93f84e6911e5b86040964715868c82eb28c2b48cdbb2c72dee60cfe2f792
SHA5126ab882ae5e24837037f3d18260f0b39f9f4b6110ebd2af86e14edebb6df201f389cc390e5af6213f5e93f1a238c55ace91910cf709dc82cfe709b6f49f958fd3
-
\Users\Admin\AppData\Local\Temp\nss1344.tmp\ktjs.dllMD5
808bcde0e218d1c449e03b7a8d8e6a85
SHA19bacabb5d38179ed06703124fd99247ff8c3739b
SHA256a128457ae2a48027b291f00a53d1e299222148b8d4cec7045f204190cbba8044
SHA512dccdad4d124ca6899d481f82ea37d742a53d4411a9df17ad167e62559b6855ff69f5546f48112af5ed8ba2ab473928233a8f4281980ae9b9e7e4d5c08a8446d6
-
\Users\Admin\AppData\Local\Temp\nss956E.tmp\ktjs.dllMD5
808bcde0e218d1c449e03b7a8d8e6a85
SHA19bacabb5d38179ed06703124fd99247ff8c3739b
SHA256a128457ae2a48027b291f00a53d1e299222148b8d4cec7045f204190cbba8044
SHA512dccdad4d124ca6899d481f82ea37d742a53d4411a9df17ad167e62559b6855ff69f5546f48112af5ed8ba2ab473928233a8f4281980ae9b9e7e4d5c08a8446d6
-
\Users\Admin\AppData\Roaming\dwm.exeMD5
8d74e2ef18e68405319a1090d20a0674
SHA1363c4e86dbf7f6ab65dcc79cedb07aa52ea12ed9
SHA2562edc93f84e6911e5b86040964715868c82eb28c2b48cdbb2c72dee60cfe2f792
SHA5126ab882ae5e24837037f3d18260f0b39f9f4b6110ebd2af86e14edebb6df201f389cc390e5af6213f5e93f1a238c55ace91910cf709dc82cfe709b6f49f958fd3
-
memory/428-79-0x0000000000000000-mapping.dmp
-
memory/848-68-0x0000000001EF1000-0x0000000001EF2000-memory.dmpFilesize
4KB
-
memory/848-66-0x0000000000320000-0x000000000032C000-memory.dmpFilesize
48KB
-
memory/848-63-0x000000000040188B-mapping.dmp
-
memory/848-65-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/848-69-0x0000000001EF2000-0x0000000001EF3000-memory.dmpFilesize
4KB
-
memory/848-71-0x0000000001EF4000-0x0000000001EF5000-memory.dmpFilesize
4KB
-
memory/848-70-0x0000000001EF3000-0x0000000001EF4000-memory.dmpFilesize
4KB
-
memory/1084-73-0x0000000000000000-mapping.dmp
-
memory/1500-86-0x000000000040188B-mapping.dmp
-
memory/1500-92-0x00000000044C1000-0x00000000044C2000-memory.dmpFilesize
4KB
-
memory/1500-91-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1500-93-0x00000000044C2000-0x00000000044C3000-memory.dmpFilesize
4KB
-
memory/1500-94-0x00000000044C3000-0x00000000044C4000-memory.dmpFilesize
4KB
-
memory/1500-95-0x00000000044C4000-0x00000000044C5000-memory.dmpFilesize
4KB
-
memory/1668-72-0x0000000000000000-mapping.dmp
-
memory/1780-76-0x0000000000000000-mapping.dmp
-
memory/1896-75-0x0000000000000000-mapping.dmp
-
memory/1996-60-0x00000000767B1000-0x00000000767B3000-memory.dmpFilesize
8KB
-
memory/1996-62-0x00000000004C0000-0x00000000004C3000-memory.dmpFilesize
12KB