Analysis
-
max time kernel
123s -
max time network
154s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-07-2021 16:02
Static task
static1
Behavioral task
behavioral1
Sample
4623254c01d5f7aacd77ce78329a0976.exe
Resource
win7v20210408
General
-
Target
4623254c01d5f7aacd77ce78329a0976.exe
-
Size
770KB
-
MD5
4623254c01d5f7aacd77ce78329a0976
-
SHA1
10c144749fb54444b65a2cea0f3a18fc08a5a0a2
-
SHA256
79c980bfebcae8726171a7cb2ff931f0da8bad4edd0fd0beb088e32ad1d1c7a7
-
SHA512
b0cfa65b7875b4b4a8b06d92f1595c724dc9698246cae920cbbd5e0d8da955c8f573ed459a64ad35799f31bf301c2dd5df4b350afb83225b5954196c7ac5e500
Malware Config
Extracted
asyncrat
0.5.6D
79.134.225.22:7890
plpwufojgjumnqp
-
aes_key
YRR6qoQ9k1oF6WSlJmfPDS5io7Iq9moG
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Muva
-
host
79.134.225.22
-
hwid
25
- install_file
-
install_folder
%AppData%
-
mutex
plpwufojgjumnqp
-
pastebin_config
null
-
port
7890
-
version
0.5.6D
Signatures
-
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
-
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3956-127-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral2/memory/3956-128-0x000000000040C60E-mapping.dmp asyncrat -
Suspicious use of SetThreadContext 1 IoCs
Processes:
4623254c01d5f7aacd77ce78329a0976.exedescription pid process target process PID 2184 set thread context of 3956 2184 4623254c01d5f7aacd77ce78329a0976.exe 4623254c01d5f7aacd77ce78329a0976.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
4623254c01d5f7aacd77ce78329a0976.exepid process 2184 4623254c01d5f7aacd77ce78329a0976.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
4623254c01d5f7aacd77ce78329a0976.exe4623254c01d5f7aacd77ce78329a0976.exedescription pid process Token: SeDebugPrivilege 2184 4623254c01d5f7aacd77ce78329a0976.exe Token: SeDebugPrivilege 3956 4623254c01d5f7aacd77ce78329a0976.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
4623254c01d5f7aacd77ce78329a0976.exedescription pid process target process PID 2184 wrote to memory of 3116 2184 4623254c01d5f7aacd77ce78329a0976.exe schtasks.exe PID 2184 wrote to memory of 3116 2184 4623254c01d5f7aacd77ce78329a0976.exe schtasks.exe PID 2184 wrote to memory of 3116 2184 4623254c01d5f7aacd77ce78329a0976.exe schtasks.exe PID 2184 wrote to memory of 3956 2184 4623254c01d5f7aacd77ce78329a0976.exe 4623254c01d5f7aacd77ce78329a0976.exe PID 2184 wrote to memory of 3956 2184 4623254c01d5f7aacd77ce78329a0976.exe 4623254c01d5f7aacd77ce78329a0976.exe PID 2184 wrote to memory of 3956 2184 4623254c01d5f7aacd77ce78329a0976.exe 4623254c01d5f7aacd77ce78329a0976.exe PID 2184 wrote to memory of 3956 2184 4623254c01d5f7aacd77ce78329a0976.exe 4623254c01d5f7aacd77ce78329a0976.exe PID 2184 wrote to memory of 3956 2184 4623254c01d5f7aacd77ce78329a0976.exe 4623254c01d5f7aacd77ce78329a0976.exe PID 2184 wrote to memory of 3956 2184 4623254c01d5f7aacd77ce78329a0976.exe 4623254c01d5f7aacd77ce78329a0976.exe PID 2184 wrote to memory of 3956 2184 4623254c01d5f7aacd77ce78329a0976.exe 4623254c01d5f7aacd77ce78329a0976.exe PID 2184 wrote to memory of 3956 2184 4623254c01d5f7aacd77ce78329a0976.exe 4623254c01d5f7aacd77ce78329a0976.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4623254c01d5f7aacd77ce78329a0976.exe"C:\Users\Admin\AppData\Local\Temp\4623254c01d5f7aacd77ce78329a0976.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CRPrKapxQE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp89D2.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\4623254c01d5f7aacd77ce78329a0976.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4623254c01d5f7aacd77ce78329a0976.exe.logMD5
0c2899d7c6746f42d5bbe088c777f94c
SHA1622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1
SHA2565b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458
SHA512ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078
-
C:\Users\Admin\AppData\Local\Temp\tmp89D2.tmpMD5
953f76aecf6690a2494d73d76348edf3
SHA17a8f1d31a82d17d69e7295d2d9a66a6091eb3766
SHA2560325fa28eb62280e2da8b39e81ebe4b30fe6f36fb68dba64c77e49f1008af3c6
SHA512921c5104db488a39c0b3818b08b0b073b9f971fd141732d37a76a2f165620bb552fe5b9661a9211dde9153d80418ed9159a2219b4bcd4d8706cff2778fc02a58
-
memory/2184-123-0x00000000064C0000-0x000000000651F000-memory.dmpFilesize
380KB
-
memory/2184-124-0x0000000002F30000-0x0000000002F3E000-memory.dmpFilesize
56KB
-
memory/2184-119-0x0000000005410000-0x0000000005411000-memory.dmpFilesize
4KB
-
memory/2184-120-0x0000000005430000-0x0000000005431000-memory.dmpFilesize
4KB
-
memory/2184-121-0x0000000005B40000-0x0000000005B42000-memory.dmpFilesize
8KB
-
memory/2184-122-0x0000000005C10000-0x0000000005C11000-memory.dmpFilesize
4KB
-
memory/2184-114-0x0000000000B30000-0x0000000000B31000-memory.dmpFilesize
4KB
-
memory/2184-118-0x00000000055F0000-0x00000000055F1000-memory.dmpFilesize
4KB
-
memory/2184-116-0x0000000005390000-0x00000000053CB000-memory.dmpFilesize
236KB
-
memory/2184-117-0x0000000009DD0000-0x0000000009DD1000-memory.dmpFilesize
4KB
-
memory/3116-125-0x0000000000000000-mapping.dmp
-
memory/3956-127-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3956-128-0x000000000040C60E-mapping.dmp
-
memory/3956-132-0x0000000004DF0000-0x0000000004DF1000-memory.dmpFilesize
4KB
-
memory/3956-135-0x0000000005900000-0x0000000005901000-memory.dmpFilesize
4KB