Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
23-07-2021 07:15
Static task
static1
Behavioral task
behavioral1
Sample
change of bank account.exe
Resource
win7v20210410
General
-
Target
change of bank account.exe
-
Size
786KB
-
MD5
47c7620387d81bc7542cbb49a3cbbec2
-
SHA1
3597f35885eb29c5b2f4f925f965880e8882a164
-
SHA256
ebea93500eadbd81e08f6e45207b3b173f6493a561c5db5f0e2293db46299d01
-
SHA512
15fb834fdb28f815354109c35f9d620f6aa4035f0a00b3db9ae6dfd7622d1bbcc1eec4e793a30a0b782ce46d0ba18cded908f439e5e83d158ceb255aa87b0e6b
Malware Config
Extracted
asyncrat
0.5.6D
79.134.225.44:7450
zesdluuiwc
-
aes_key
xEGeI9b9ebYU1KIyt6o56TUQ5Zun1NL4
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
79.134.225.44
-
hwid
5
- install_file
-
install_folder
%AppData%
-
mutex
zesdluuiwc
-
pastebin_config
null
-
port
7450
-
version
0.5.6D
Signatures
-
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1304-127-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral2/memory/1304-128-0x000000000040C61E-mapping.dmp asyncrat -
Suspicious use of SetThreadContext 1 IoCs
Processes:
change of bank account.exedescription pid process target process PID 4036 set thread context of 1304 4036 change of bank account.exe change of bank account.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
change of bank account.exepid process 4036 change of bank account.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
change of bank account.exedescription pid process Token: SeDebugPrivilege 4036 change of bank account.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
change of bank account.exedescription pid process target process PID 4036 wrote to memory of 800 4036 change of bank account.exe schtasks.exe PID 4036 wrote to memory of 800 4036 change of bank account.exe schtasks.exe PID 4036 wrote to memory of 800 4036 change of bank account.exe schtasks.exe PID 4036 wrote to memory of 1304 4036 change of bank account.exe change of bank account.exe PID 4036 wrote to memory of 1304 4036 change of bank account.exe change of bank account.exe PID 4036 wrote to memory of 1304 4036 change of bank account.exe change of bank account.exe PID 4036 wrote to memory of 1304 4036 change of bank account.exe change of bank account.exe PID 4036 wrote to memory of 1304 4036 change of bank account.exe change of bank account.exe PID 4036 wrote to memory of 1304 4036 change of bank account.exe change of bank account.exe PID 4036 wrote to memory of 1304 4036 change of bank account.exe change of bank account.exe PID 4036 wrote to memory of 1304 4036 change of bank account.exe change of bank account.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\change of bank account.exe"C:\Users\Admin\AppData\Local\Temp\change of bank account.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PdfRSF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB9B1.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\change of bank account.exe"C:\Users\Admin\AppData\Local\Temp\change of bank account.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\change of bank account.exe.logMD5
90acfd72f14a512712b1a7380c0faf60
SHA140ba4accb8faa75887e84fb8e38d598dc8cf0f12
SHA25620806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86
SHA51229dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9
-
C:\Users\Admin\AppData\Local\Temp\tmpB9B1.tmpMD5
1a0b943e6f95588ee6f8778cc02221e7
SHA1d7e67c12f8435735c6062fd243f28a4b7f26079e
SHA2562bf22db68c7580d320d636d28522027ef90e034370d6ae39c1aaff75cee797a2
SHA5128d4cc8c794c62e3673b9f0c4ef7918a96cb5459e0e9e6b0b1b276ed559029217383ed15328a558fdf6e05aea20097fcdf88005193cc8015792007cba73b39009
-
memory/800-125-0x0000000000000000-mapping.dmp
-
memory/1304-132-0x0000000005230000-0x0000000005231000-memory.dmpFilesize
4KB
-
memory/1304-128-0x000000000040C61E-mapping.dmp
-
memory/1304-127-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4036-119-0x0000000005780000-0x0000000005781000-memory.dmpFilesize
4KB
-
memory/4036-122-0x0000000005AF0000-0x0000000005B0B000-memory.dmpFilesize
108KB
-
memory/4036-123-0x0000000007D30000-0x0000000007D81000-memory.dmpFilesize
324KB
-
memory/4036-124-0x0000000007DB0000-0x0000000007DBF000-memory.dmpFilesize
60KB
-
memory/4036-121-0x0000000005840000-0x0000000005D3E000-memory.dmpFilesize
5.0MB
-
memory/4036-120-0x0000000005A40000-0x0000000005A41000-memory.dmpFilesize
4KB
-
memory/4036-114-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/4036-118-0x00000000058E0000-0x00000000058E1000-memory.dmpFilesize
4KB
-
memory/4036-117-0x0000000005D40000-0x0000000005D41000-memory.dmpFilesize
4KB
-
memory/4036-116-0x00000000057A0000-0x00000000057A1000-memory.dmpFilesize
4KB