Analysis
-
max time kernel
114s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 02:11
Static task
static1
Behavioral task
behavioral1
Sample
Request For Quote.exe
Resource
win7v20210408
General
-
Target
Request For Quote.exe
-
Size
723KB
-
MD5
60b38fcb88892b72f97c72a04b03ce29
-
SHA1
90a9b8272b1c39aba84ceb9c53aa1b041fb61f6b
-
SHA256
86a970ceae4a26b7b3cca4894885278b76aede70d85c92a2c55d9fe4d950a879
-
SHA512
a5fe465d7fd3dc278c85be115ae060b85a069f445d3a768064e34fa51de08221368890bce5f958bc2133fbc4bfbc8393b7a0fff7a9093f80ef82dd6d8fad4477
Malware Config
Extracted
asyncrat
0.5.7B
kingmethod.duckdns.org:6606
kingmethod.duckdns.org:7707
kingmethod.duckdns.org:8808
AsyncMutex_6SI8OkPnk
-
aes_key
OZXGLSBOBV86soeiTb9Hf1tQxfBtCgFw
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
,kingmethod.duckdns.org
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
6606,7707,8808
-
version
0.5.7B
Signatures
-
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4056-127-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral2/memory/4056-128-0x000000000040C73E-mapping.dmp asyncrat -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Request For Quote.exedescription pid process target process PID 3916 set thread context of 4056 3916 Request For Quote.exe Request For Quote.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Request For Quote.exepid process 3916 Request For Quote.exe 3916 Request For Quote.exe 3916 Request For Quote.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Request For Quote.exeRequest For Quote.exedescription pid process Token: SeDebugPrivilege 3916 Request For Quote.exe Token: SeDebugPrivilege 4056 Request For Quote.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Request For Quote.exedescription pid process target process PID 3916 wrote to memory of 3548 3916 Request For Quote.exe schtasks.exe PID 3916 wrote to memory of 3548 3916 Request For Quote.exe schtasks.exe PID 3916 wrote to memory of 3548 3916 Request For Quote.exe schtasks.exe PID 3916 wrote to memory of 3652 3916 Request For Quote.exe Request For Quote.exe PID 3916 wrote to memory of 3652 3916 Request For Quote.exe Request For Quote.exe PID 3916 wrote to memory of 3652 3916 Request For Quote.exe Request For Quote.exe PID 3916 wrote to memory of 4056 3916 Request For Quote.exe Request For Quote.exe PID 3916 wrote to memory of 4056 3916 Request For Quote.exe Request For Quote.exe PID 3916 wrote to memory of 4056 3916 Request For Quote.exe Request For Quote.exe PID 3916 wrote to memory of 4056 3916 Request For Quote.exe Request For Quote.exe PID 3916 wrote to memory of 4056 3916 Request For Quote.exe Request For Quote.exe PID 3916 wrote to memory of 4056 3916 Request For Quote.exe Request For Quote.exe PID 3916 wrote to memory of 4056 3916 Request For Quote.exe Request For Quote.exe PID 3916 wrote to memory of 4056 3916 Request For Quote.exe Request For Quote.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Request For Quote.exe"C:\Users\Admin\AppData\Local\Temp\Request For Quote.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wTWgfPg" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC024.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Request For Quote.exe"C:\Users\Admin\AppData\Local\Temp\Request For Quote.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Request For Quote.exe"C:\Users\Admin\AppData\Local\Temp\Request For Quote.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Request For Quote.exe.logMD5
90acfd72f14a512712b1a7380c0faf60
SHA140ba4accb8faa75887e84fb8e38d598dc8cf0f12
SHA25620806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86
SHA51229dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9
-
C:\Users\Admin\AppData\Local\Temp\tmpC024.tmpMD5
e99b1c98f3a43a252eae45521ff2d50a
SHA194acaf12c621be6a426993f634403e4b51e32ee9
SHA25662a5bf3f69a7feeddfa571271dc73b188d946e70700e5182f4667ad9f4b4fa64
SHA5122e8c83d70d543bcb0adb00cf0afe785d50b1501c2e954d1a50247d91d8c24a8f6c1f6a62102c4c3bba2f95610d4cbe9675736e23ec02e48b1d1a00c313ef59eb
-
memory/3548-125-0x0000000000000000-mapping.dmp
-
memory/3916-123-0x0000000005AF0000-0x0000000005B5F000-memory.dmpFilesize
444KB
-
memory/3916-118-0x0000000005670000-0x0000000005671000-memory.dmpFilesize
4KB
-
memory/3916-120-0x0000000005870000-0x0000000005871000-memory.dmpFilesize
4KB
-
memory/3916-121-0x0000000005640000-0x000000000565E000-memory.dmpFilesize
120KB
-
memory/3916-122-0x0000000005670000-0x0000000005B6E000-memory.dmpFilesize
5.0MB
-
memory/3916-114-0x0000000000C70000-0x0000000000C71000-memory.dmpFilesize
4KB
-
memory/3916-124-0x0000000008740000-0x0000000008768000-memory.dmpFilesize
160KB
-
memory/3916-119-0x0000000005530000-0x0000000005531000-memory.dmpFilesize
4KB
-
memory/3916-117-0x0000000005B70000-0x0000000005B71000-memory.dmpFilesize
4KB
-
memory/3916-116-0x0000000005580000-0x0000000005581000-memory.dmpFilesize
4KB
-
memory/4056-128-0x000000000040C73E-mapping.dmp
-
memory/4056-127-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4056-132-0x00000000019D0000-0x00000000019D1000-memory.dmpFilesize
4KB
-
memory/4056-135-0x00000000064C0000-0x00000000064C1000-memory.dmpFilesize
4KB