Analysis
-
max time kernel
61s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
06-05-2021 19:32
Static task
static1
Behavioral task
behavioral1
Sample
8D74E2EF18E68405319A1090D20A0674.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
8D74E2EF18E68405319A1090D20A0674.exe
Resource
win10v20210410
General
-
Target
8D74E2EF18E68405319A1090D20A0674.exe
-
Size
264KB
-
MD5
8d74e2ef18e68405319a1090d20a0674
-
SHA1
363c4e86dbf7f6ab65dcc79cedb07aa52ea12ed9
-
SHA256
2edc93f84e6911e5b86040964715868c82eb28c2b48cdbb2c72dee60cfe2f792
-
SHA512
6ab882ae5e24837037f3d18260f0b39f9f4b6110ebd2af86e14edebb6df201f389cc390e5af6213f5e93f1a238c55ace91910cf709dc82cfe709b6f49f958fd3
Malware Config
Extracted
asyncrat
0.5.7B
fact.azad.live:5380
societyf500.ddns.net:5380
AsyncMutex_6SI8OkPnk
-
aes_key
g5ATBHeFjqZicBQcW6MmoyX0Xhwz0tjW
-
anti_detection
false
-
autorun
true
-
bdos
false
-
delay
Default
-
host
fact.azad.live,societyf500.ddns.net
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
5380
-
version
0.5.7B
Signatures
-
Async RAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1600-64-0x0000000000400000-0x0000000000421000-memory.dmp asyncrat behavioral1/memory/1600-65-0x00000000003E0000-0x00000000003EC000-memory.dmp asyncrat behavioral1/memory/1132-90-0x0000000000400000-0x0000000000421000-memory.dmp asyncrat -
Executes dropped EXE 2 IoCs
Processes:
dwm.exedwm.exepid process 740 dwm.exe 1132 dwm.exe -
Loads dropped DLL 3 IoCs
Processes:
8D74E2EF18E68405319A1090D20A0674.execmd.exedwm.exepid process 484 8D74E2EF18E68405319A1090D20A0674.exe 860 cmd.exe 740 dwm.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
8D74E2EF18E68405319A1090D20A0674.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\AppData\\dwm.exe" 8D74E2EF18E68405319A1090D20A0674.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
8D74E2EF18E68405319A1090D20A0674.exedwm.exedescription pid process target process PID 484 set thread context of 1600 484 8D74E2EF18E68405319A1090D20A0674.exe 8D74E2EF18E68405319A1090D20A0674.exe PID 740 set thread context of 1132 740 dwm.exe dwm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 8 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\dwm.exe nsis_installer_1 \Users\Admin\AppData\Roaming\dwm.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\dwm.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\dwm.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\dwm.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\dwm.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\dwm.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\dwm.exe nsis_installer_2 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 928 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
8D74E2EF18E68405319A1090D20A0674.exepid process 1600 8D74E2EF18E68405319A1090D20A0674.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
8D74E2EF18E68405319A1090D20A0674.exedwm.exepid process 484 8D74E2EF18E68405319A1090D20A0674.exe 740 dwm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
8D74E2EF18E68405319A1090D20A0674.exedwm.exedescription pid process Token: SeDebugPrivilege 1600 8D74E2EF18E68405319A1090D20A0674.exe Token: SeDebugPrivilege 1132 dwm.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
8D74E2EF18E68405319A1090D20A0674.exe8D74E2EF18E68405319A1090D20A0674.execmd.execmd.exedwm.exedescription pid process target process PID 484 wrote to memory of 1600 484 8D74E2EF18E68405319A1090D20A0674.exe 8D74E2EF18E68405319A1090D20A0674.exe PID 484 wrote to memory of 1600 484 8D74E2EF18E68405319A1090D20A0674.exe 8D74E2EF18E68405319A1090D20A0674.exe PID 484 wrote to memory of 1600 484 8D74E2EF18E68405319A1090D20A0674.exe 8D74E2EF18E68405319A1090D20A0674.exe PID 484 wrote to memory of 1600 484 8D74E2EF18E68405319A1090D20A0674.exe 8D74E2EF18E68405319A1090D20A0674.exe PID 484 wrote to memory of 1600 484 8D74E2EF18E68405319A1090D20A0674.exe 8D74E2EF18E68405319A1090D20A0674.exe PID 1600 wrote to memory of 568 1600 8D74E2EF18E68405319A1090D20A0674.exe cmd.exe PID 1600 wrote to memory of 568 1600 8D74E2EF18E68405319A1090D20A0674.exe cmd.exe PID 1600 wrote to memory of 568 1600 8D74E2EF18E68405319A1090D20A0674.exe cmd.exe PID 1600 wrote to memory of 568 1600 8D74E2EF18E68405319A1090D20A0674.exe cmd.exe PID 1600 wrote to memory of 860 1600 8D74E2EF18E68405319A1090D20A0674.exe cmd.exe PID 1600 wrote to memory of 860 1600 8D74E2EF18E68405319A1090D20A0674.exe cmd.exe PID 1600 wrote to memory of 860 1600 8D74E2EF18E68405319A1090D20A0674.exe cmd.exe PID 1600 wrote to memory of 860 1600 8D74E2EF18E68405319A1090D20A0674.exe cmd.exe PID 568 wrote to memory of 516 568 cmd.exe schtasks.exe PID 568 wrote to memory of 516 568 cmd.exe schtasks.exe PID 568 wrote to memory of 516 568 cmd.exe schtasks.exe PID 568 wrote to memory of 516 568 cmd.exe schtasks.exe PID 860 wrote to memory of 928 860 cmd.exe timeout.exe PID 860 wrote to memory of 928 860 cmd.exe timeout.exe PID 860 wrote to memory of 928 860 cmd.exe timeout.exe PID 860 wrote to memory of 928 860 cmd.exe timeout.exe PID 860 wrote to memory of 740 860 cmd.exe dwm.exe PID 860 wrote to memory of 740 860 cmd.exe dwm.exe PID 860 wrote to memory of 740 860 cmd.exe dwm.exe PID 860 wrote to memory of 740 860 cmd.exe dwm.exe PID 740 wrote to memory of 1132 740 dwm.exe dwm.exe PID 740 wrote to memory of 1132 740 dwm.exe dwm.exe PID 740 wrote to memory of 1132 740 dwm.exe dwm.exe PID 740 wrote to memory of 1132 740 dwm.exe dwm.exe PID 740 wrote to memory of 1132 740 dwm.exe dwm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8D74E2EF18E68405319A1090D20A0674.exe"C:\Users\Admin\AppData\Local\Temp\8D74E2EF18E68405319A1090D20A0674.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8D74E2EF18E68405319A1090D20A0674.exe"C:\Users\Admin\AppData\Local\Temp\8D74E2EF18E68405319A1090D20A0674.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "dwm" /tr '"C:\Users\Admin\AppData\Roaming\dwm.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "dwm" /tr '"C:\Users\Admin\AppData\Roaming\dwm.exe"'4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpBD85.tmp.bat""3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\dwm.exe"C:\Users\Admin\AppData\Roaming\dwm.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\dwm.exe"C:\Users\Admin\AppData\Roaming\dwm.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0ug8kkc9yylgslet6xhkMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\eg4qkktz6zveprMD5
6d77ea32f8214afe3278f446727ce728
SHA1fb08a5050eb2a586c65b0fb987bcb35830765dbd
SHA25638e8d892faa22377b1dcd14faee1652e50a404b81ec6b69467b1249a43b032f6
SHA512aa4fc073027d1f069c5313eb38901452ac3c84c3d7756930784c5321d5d569f504786ca336f67573ba7d4df3d67af5337b4f590c059b2024389eeba5849be2a3
-
C:\Users\Admin\AppData\Local\Temp\tmpBD85.tmp.batMD5
e80461721554dc8191649ee3133d7679
SHA1866a6f8f2b60ee7ed8831554f73989ad76e104e8
SHA256fedf9b8bf8963a20b29c02841958f2a0176bc839d1e5b6ca500ee142d9f98f80
SHA5129b91ebc083834729d9bd104c7c268bca7f9302a2da259d79624b7e08b04e3a2de701498e574f0e9ede89926dce45d16f3e63deff05234634d0db6fef2bd708ba
-
C:\Users\Admin\AppData\Roaming\dwm.exeMD5
8d74e2ef18e68405319a1090d20a0674
SHA1363c4e86dbf7f6ab65dcc79cedb07aa52ea12ed9
SHA2562edc93f84e6911e5b86040964715868c82eb28c2b48cdbb2c72dee60cfe2f792
SHA5126ab882ae5e24837037f3d18260f0b39f9f4b6110ebd2af86e14edebb6df201f389cc390e5af6213f5e93f1a238c55ace91910cf709dc82cfe709b6f49f958fd3
-
C:\Users\Admin\AppData\Roaming\dwm.exeMD5
8d74e2ef18e68405319a1090d20a0674
SHA1363c4e86dbf7f6ab65dcc79cedb07aa52ea12ed9
SHA2562edc93f84e6911e5b86040964715868c82eb28c2b48cdbb2c72dee60cfe2f792
SHA5126ab882ae5e24837037f3d18260f0b39f9f4b6110ebd2af86e14edebb6df201f389cc390e5af6213f5e93f1a238c55ace91910cf709dc82cfe709b6f49f958fd3
-
C:\Users\Admin\AppData\Roaming\dwm.exeMD5
8d74e2ef18e68405319a1090d20a0674
SHA1363c4e86dbf7f6ab65dcc79cedb07aa52ea12ed9
SHA2562edc93f84e6911e5b86040964715868c82eb28c2b48cdbb2c72dee60cfe2f792
SHA5126ab882ae5e24837037f3d18260f0b39f9f4b6110ebd2af86e14edebb6df201f389cc390e5af6213f5e93f1a238c55ace91910cf709dc82cfe709b6f49f958fd3
-
\Users\Admin\AppData\Local\Temp\nsc50D0.tmp\ktjs.dllMD5
808bcde0e218d1c449e03b7a8d8e6a85
SHA19bacabb5d38179ed06703124fd99247ff8c3739b
SHA256a128457ae2a48027b291f00a53d1e299222148b8d4cec7045f204190cbba8044
SHA512dccdad4d124ca6899d481f82ea37d742a53d4411a9df17ad167e62559b6855ff69f5546f48112af5ed8ba2ab473928233a8f4281980ae9b9e7e4d5c08a8446d6
-
\Users\Admin\AppData\Local\Temp\nssC850.tmp\ktjs.dllMD5
808bcde0e218d1c449e03b7a8d8e6a85
SHA19bacabb5d38179ed06703124fd99247ff8c3739b
SHA256a128457ae2a48027b291f00a53d1e299222148b8d4cec7045f204190cbba8044
SHA512dccdad4d124ca6899d481f82ea37d742a53d4411a9df17ad167e62559b6855ff69f5546f48112af5ed8ba2ab473928233a8f4281980ae9b9e7e4d5c08a8446d6
-
\Users\Admin\AppData\Roaming\dwm.exeMD5
8d74e2ef18e68405319a1090d20a0674
SHA1363c4e86dbf7f6ab65dcc79cedb07aa52ea12ed9
SHA2562edc93f84e6911e5b86040964715868c82eb28c2b48cdbb2c72dee60cfe2f792
SHA5126ab882ae5e24837037f3d18260f0b39f9f4b6110ebd2af86e14edebb6df201f389cc390e5af6213f5e93f1a238c55ace91910cf709dc82cfe709b6f49f958fd3
-
memory/484-61-0x0000000000500000-0x0000000000503000-memory.dmpFilesize
12KB
-
memory/484-59-0x0000000075AD1000-0x0000000075AD3000-memory.dmpFilesize
8KB
-
memory/516-74-0x0000000000000000-mapping.dmp
-
memory/568-71-0x0000000000000000-mapping.dmp
-
memory/740-78-0x0000000000000000-mapping.dmp
-
memory/860-72-0x0000000000000000-mapping.dmp
-
memory/928-75-0x0000000000000000-mapping.dmp
-
memory/1132-90-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1132-85-0x000000000040188B-mapping.dmp
-
memory/1132-91-0x00000000045A1000-0x00000000045A2000-memory.dmpFilesize
4KB
-
memory/1132-93-0x00000000045A3000-0x00000000045A4000-memory.dmpFilesize
4KB
-
memory/1132-92-0x00000000045A2000-0x00000000045A3000-memory.dmpFilesize
4KB
-
memory/1132-94-0x00000000045A4000-0x00000000045A5000-memory.dmpFilesize
4KB
-
memory/1600-69-0x0000000004623000-0x0000000004624000-memory.dmpFilesize
4KB
-
memory/1600-67-0x0000000004621000-0x0000000004622000-memory.dmpFilesize
4KB
-
memory/1600-68-0x0000000004622000-0x0000000004623000-memory.dmpFilesize
4KB
-
memory/1600-65-0x00000000003E0000-0x00000000003EC000-memory.dmpFilesize
48KB
-
memory/1600-64-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1600-62-0x000000000040188B-mapping.dmp
-
memory/1600-70-0x0000000004624000-0x0000000004625000-memory.dmpFilesize
4KB