Analysis
-
max time kernel
147s -
max time network
178s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
23-07-2021 07:15
Static task
static1
Behavioral task
behavioral1
Sample
change of bank account.exe
Resource
win7v20210410
General
-
Target
change of bank account.exe
-
Size
786KB
-
MD5
47c7620387d81bc7542cbb49a3cbbec2
-
SHA1
3597f35885eb29c5b2f4f925f965880e8882a164
-
SHA256
ebea93500eadbd81e08f6e45207b3b173f6493a561c5db5f0e2293db46299d01
-
SHA512
15fb834fdb28f815354109c35f9d620f6aa4035f0a00b3db9ae6dfd7622d1bbcc1eec4e793a30a0b782ce46d0ba18cded908f439e5e83d158ceb255aa87b0e6b
Malware Config
Extracted
asyncrat
0.5.6D
79.134.225.44:7450
zesdluuiwc
-
aes_key
xEGeI9b9ebYU1KIyt6o56TUQ5Zun1NL4
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
79.134.225.44
-
hwid
5
- install_file
-
install_folder
%AppData%
-
mutex
zesdluuiwc
-
pastebin_config
null
-
port
7450
-
version
0.5.6D
Signatures
-
Async RAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/888-67-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/888-68-0x000000000040C61E-mapping.dmp asyncrat behavioral1/memory/888-69-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Suspicious use of SetThreadContext 1 IoCs
Processes:
change of bank account.exedescription pid process target process PID 1856 set thread context of 888 1856 change of bank account.exe change of bank account.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
change of bank account.exepid process 1856 change of bank account.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
change of bank account.exedescription pid process Token: SeDebugPrivilege 1856 change of bank account.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
change of bank account.exedescription pid process target process PID 1856 wrote to memory of 756 1856 change of bank account.exe schtasks.exe PID 1856 wrote to memory of 756 1856 change of bank account.exe schtasks.exe PID 1856 wrote to memory of 756 1856 change of bank account.exe schtasks.exe PID 1856 wrote to memory of 756 1856 change of bank account.exe schtasks.exe PID 1856 wrote to memory of 888 1856 change of bank account.exe change of bank account.exe PID 1856 wrote to memory of 888 1856 change of bank account.exe change of bank account.exe PID 1856 wrote to memory of 888 1856 change of bank account.exe change of bank account.exe PID 1856 wrote to memory of 888 1856 change of bank account.exe change of bank account.exe PID 1856 wrote to memory of 888 1856 change of bank account.exe change of bank account.exe PID 1856 wrote to memory of 888 1856 change of bank account.exe change of bank account.exe PID 1856 wrote to memory of 888 1856 change of bank account.exe change of bank account.exe PID 1856 wrote to memory of 888 1856 change of bank account.exe change of bank account.exe PID 1856 wrote to memory of 888 1856 change of bank account.exe change of bank account.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\change of bank account.exe"C:\Users\Admin\AppData\Local\Temp\change of bank account.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PdfRSF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8D42.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\change of bank account.exe"C:\Users\Admin\AppData\Local\Temp\change of bank account.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp8D42.tmpMD5
9f72dfdba5908151c59989595fbc7903
SHA1b02df7eb9de9ab40720e07dbef78f3d1dd331dc3
SHA2563ef8ce4e569ffafdefe2f4628b11ed9d2a8bce801ba6d1d0bc2bd160e0bce8bc
SHA512bb7b684c481547c5bb89549381cef0de9cf4e577ea5d7169a158ce4111f07a5bdee56e95d139fb4b1fc50086fbfc4d3f8219e9ed37ff98543f9be1d3e6c4b7fa
-
memory/756-65-0x0000000000000000-mapping.dmp
-
memory/888-67-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/888-68-0x000000000040C61E-mapping.dmp
-
memory/888-69-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/888-71-0x0000000075FE1000-0x0000000075FE3000-memory.dmpFilesize
8KB
-
memory/888-72-0x0000000001FC0000-0x0000000001FC1000-memory.dmpFilesize
4KB
-
memory/1856-59-0x0000000000A60000-0x0000000000A61000-memory.dmpFilesize
4KB
-
memory/1856-61-0x0000000002090000-0x0000000002091000-memory.dmpFilesize
4KB
-
memory/1856-62-0x00000000002D0000-0x00000000002EB000-memory.dmpFilesize
108KB
-
memory/1856-63-0x0000000005260000-0x00000000052B1000-memory.dmpFilesize
324KB
-
memory/1856-64-0x00000000004B0000-0x00000000004BF000-memory.dmpFilesize
60KB