Analysis
-
max time kernel
146s -
max time network
171s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
23-07-2021 12:25
Static task
static1
Behavioral task
behavioral1
Sample
877446a3230a1bdc809f50ad1477c3fd.exe
Resource
win7v20210410
General
-
Target
877446a3230a1bdc809f50ad1477c3fd.exe
-
Size
385KB
-
MD5
877446a3230a1bdc809f50ad1477c3fd
-
SHA1
54480aba9a090e9efb15695a55888c19b3dc183e
-
SHA256
d49479f1e5b04736f8bab7ff79f8cd3574234fa244b1f414b74b1fd91f87d1fb
-
SHA512
484c7dcf5a04f68f7b76ce5fee094cecf1353d0e46c9368b105cbe0b1fa18d18d584a679f4bbd95b658b898e668767ed69df546e411939141c158cfe2ed130b1
Malware Config
Extracted
asyncrat
0.5.7B
omomom.ac.ug:6970
omkarusdajvc.ac.ug:6970
6SI8OkPnkxzcasd
-
aes_key
sEiaxlqpFmHMU8l5j0Ycz8apFoEBTERY
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
XX
-
host
omomom.ac.ug,omkarusdajvc.ac.ug
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
6SI8OkPnkxzcasd
-
pastebin_config
null
-
port
6970
-
version
0.5.7B
Signatures
-
Async RAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/840-69-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/840-70-0x000000000040C71E-mapping.dmp asyncrat behavioral1/memory/840-71-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Suspicious use of SetThreadContext 1 IoCs
Processes:
877446a3230a1bdc809f50ad1477c3fd.exedescription pid process target process PID 1340 set thread context of 840 1340 877446a3230a1bdc809f50ad1477c3fd.exe 877446a3230a1bdc809f50ad1477c3fd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
877446a3230a1bdc809f50ad1477c3fd.exedescription pid process target process PID 1340 wrote to memory of 684 1340 877446a3230a1bdc809f50ad1477c3fd.exe schtasks.exe PID 1340 wrote to memory of 684 1340 877446a3230a1bdc809f50ad1477c3fd.exe schtasks.exe PID 1340 wrote to memory of 684 1340 877446a3230a1bdc809f50ad1477c3fd.exe schtasks.exe PID 1340 wrote to memory of 684 1340 877446a3230a1bdc809f50ad1477c3fd.exe schtasks.exe PID 1340 wrote to memory of 840 1340 877446a3230a1bdc809f50ad1477c3fd.exe 877446a3230a1bdc809f50ad1477c3fd.exe PID 1340 wrote to memory of 840 1340 877446a3230a1bdc809f50ad1477c3fd.exe 877446a3230a1bdc809f50ad1477c3fd.exe PID 1340 wrote to memory of 840 1340 877446a3230a1bdc809f50ad1477c3fd.exe 877446a3230a1bdc809f50ad1477c3fd.exe PID 1340 wrote to memory of 840 1340 877446a3230a1bdc809f50ad1477c3fd.exe 877446a3230a1bdc809f50ad1477c3fd.exe PID 1340 wrote to memory of 840 1340 877446a3230a1bdc809f50ad1477c3fd.exe 877446a3230a1bdc809f50ad1477c3fd.exe PID 1340 wrote to memory of 840 1340 877446a3230a1bdc809f50ad1477c3fd.exe 877446a3230a1bdc809f50ad1477c3fd.exe PID 1340 wrote to memory of 840 1340 877446a3230a1bdc809f50ad1477c3fd.exe 877446a3230a1bdc809f50ad1477c3fd.exe PID 1340 wrote to memory of 840 1340 877446a3230a1bdc809f50ad1477c3fd.exe 877446a3230a1bdc809f50ad1477c3fd.exe PID 1340 wrote to memory of 840 1340 877446a3230a1bdc809f50ad1477c3fd.exe 877446a3230a1bdc809f50ad1477c3fd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\877446a3230a1bdc809f50ad1477c3fd.exe"C:\Users\Admin\AppData\Local\Temp\877446a3230a1bdc809f50ad1477c3fd.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\awXFuL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1140.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\877446a3230a1bdc809f50ad1477c3fd.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp1140.tmpMD5
c938421fa5d0a6a1d397a3debf939057
SHA1f350c4735d66d409bca38dbfa8b29bf3c613fe9b
SHA256429f39e493570fef03ef3acc980fc415988549ff24ac24957a658c363a996c15
SHA512a6bc6f72bb8c42cf101a9ae2f084d1a1a3b97c5f3019d35c72d2cd16bd163a13a024236a7bfadef6d8b173cb5297e99469f0b9a3dde14699045b1d4baba2c875
-
memory/684-67-0x0000000000000000-mapping.dmp
-
memory/840-74-0x00000000040D0000-0x00000000040D1000-memory.dmpFilesize
4KB
-
memory/840-73-0x0000000075FE1000-0x0000000075FE3000-memory.dmpFilesize
8KB
-
memory/840-71-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/840-70-0x000000000040C71E-mapping.dmp
-
memory/840-69-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1340-63-0x0000000000510000-0x0000000000512000-memory.dmpFilesize
8KB
-
memory/1340-66-0x0000000001EF0000-0x0000000001F09000-memory.dmpFilesize
100KB
-
memory/1340-65-0x0000000004990000-0x00000000049F9000-memory.dmpFilesize
420KB
-
memory/1340-64-0x0000000004825000-0x0000000004836000-memory.dmpFilesize
68KB
-
memory/1340-59-0x00000000104B0000-0x00000000104B1000-memory.dmpFilesize
4KB
-
memory/1340-62-0x0000000004820000-0x0000000004821000-memory.dmpFilesize
4KB
-
memory/1340-61-0x00000000005E0000-0x0000000000622000-memory.dmpFilesize
264KB