Analysis
-
max time kernel
148s -
max time network
194s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
15-09-2021 07:03
Static task
static1
Behavioral task
behavioral1
Sample
02179909185ee25814dd4ea226540021.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
02179909185ee25814dd4ea226540021.exe
Resource
win10-en
General
-
Target
02179909185ee25814dd4ea226540021.exe
-
Size
585KB
-
MD5
02179909185ee25814dd4ea226540021
-
SHA1
d54bd08e2c4b7aa3971eff0ee15ac064889c1f5b
-
SHA256
aebf016b75a0461729b84255f307d279a60675a8769affdb69f9ad68ba9b86b3
-
SHA512
6933dcc2d81d62d12756436df4f8bde39fe1ccb868b73a323153dbb360059cb82111d5ff134c43269879cf8dbb9b69a17732fccbfa927295e87a82831dea9105
Malware Config
Extracted
asyncrat
0.5.7B
WIRE$$$$$$$$
severdops.ddns.net:6204
AsyncMutex_6SI8OkPnk
-
anti_vm
false
-
bsod
false
-
delay
3
-
install
true
-
install_file
iconfx.exe
-
install_folder
%AppData%
-
pastebin_config
null
Signatures
-
Async RAT payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/684-62-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/684-63-0x000000000040C6FE-mapping.dmp asyncrat behavioral1/memory/684-64-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1252-85-0x000000000040C6FE-mapping.dmp asyncrat -
Executes dropped EXE 2 IoCs
Processes:
iconfx.exeiconfx.exepid process 340 iconfx.exe 1252 iconfx.exe -
Loads dropped DLL 7 IoCs
Processes:
cmd.exeWerFault.exepid process 2032 cmd.exe 2032 cmd.exe 1956 WerFault.exe 1956 WerFault.exe 1956 WerFault.exe 1956 WerFault.exe 1956 WerFault.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
02179909185ee25814dd4ea226540021.exeiconfx.exedescription pid process target process PID 1472 set thread context of 684 1472 02179909185ee25814dd4ea226540021.exe 02179909185ee25814dd4ea226540021.exe PID 340 set thread context of 1252 340 iconfx.exe iconfx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1596 1472 WerFault.exe 02179909185ee25814dd4ea226540021.exe 1956 340 WerFault.exe iconfx.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1164 timeout.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
WerFault.exe02179909185ee25814dd4ea226540021.exeWerFault.exepid process 1596 WerFault.exe 1596 WerFault.exe 1596 WerFault.exe 1596 WerFault.exe 1596 WerFault.exe 684 02179909185ee25814dd4ea226540021.exe 1956 WerFault.exe 1956 WerFault.exe 1956 WerFault.exe 1956 WerFault.exe 1956 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
WerFault.exeWerFault.exepid process 1596 WerFault.exe 1956 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
02179909185ee25814dd4ea226540021.exeWerFault.exe02179909185ee25814dd4ea226540021.exeiconfx.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1472 02179909185ee25814dd4ea226540021.exe Token: SeDebugPrivilege 1596 WerFault.exe Token: SeDebugPrivilege 684 02179909185ee25814dd4ea226540021.exe Token: SeDebugPrivilege 340 iconfx.exe Token: SeDebugPrivilege 1956 WerFault.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
02179909185ee25814dd4ea226540021.exe02179909185ee25814dd4ea226540021.execmd.execmd.exeiconfx.exedescription pid process target process PID 1472 wrote to memory of 684 1472 02179909185ee25814dd4ea226540021.exe 02179909185ee25814dd4ea226540021.exe PID 1472 wrote to memory of 684 1472 02179909185ee25814dd4ea226540021.exe 02179909185ee25814dd4ea226540021.exe PID 1472 wrote to memory of 684 1472 02179909185ee25814dd4ea226540021.exe 02179909185ee25814dd4ea226540021.exe PID 1472 wrote to memory of 684 1472 02179909185ee25814dd4ea226540021.exe 02179909185ee25814dd4ea226540021.exe PID 1472 wrote to memory of 684 1472 02179909185ee25814dd4ea226540021.exe 02179909185ee25814dd4ea226540021.exe PID 1472 wrote to memory of 684 1472 02179909185ee25814dd4ea226540021.exe 02179909185ee25814dd4ea226540021.exe PID 1472 wrote to memory of 684 1472 02179909185ee25814dd4ea226540021.exe 02179909185ee25814dd4ea226540021.exe PID 1472 wrote to memory of 684 1472 02179909185ee25814dd4ea226540021.exe 02179909185ee25814dd4ea226540021.exe PID 1472 wrote to memory of 684 1472 02179909185ee25814dd4ea226540021.exe 02179909185ee25814dd4ea226540021.exe PID 1472 wrote to memory of 1596 1472 02179909185ee25814dd4ea226540021.exe WerFault.exe PID 1472 wrote to memory of 1596 1472 02179909185ee25814dd4ea226540021.exe WerFault.exe PID 1472 wrote to memory of 1596 1472 02179909185ee25814dd4ea226540021.exe WerFault.exe PID 1472 wrote to memory of 1596 1472 02179909185ee25814dd4ea226540021.exe WerFault.exe PID 684 wrote to memory of 536 684 02179909185ee25814dd4ea226540021.exe cmd.exe PID 684 wrote to memory of 536 684 02179909185ee25814dd4ea226540021.exe cmd.exe PID 684 wrote to memory of 536 684 02179909185ee25814dd4ea226540021.exe cmd.exe PID 684 wrote to memory of 536 684 02179909185ee25814dd4ea226540021.exe cmd.exe PID 684 wrote to memory of 2032 684 02179909185ee25814dd4ea226540021.exe cmd.exe PID 684 wrote to memory of 2032 684 02179909185ee25814dd4ea226540021.exe cmd.exe PID 684 wrote to memory of 2032 684 02179909185ee25814dd4ea226540021.exe cmd.exe PID 684 wrote to memory of 2032 684 02179909185ee25814dd4ea226540021.exe cmd.exe PID 536 wrote to memory of 1048 536 cmd.exe schtasks.exe PID 536 wrote to memory of 1048 536 cmd.exe schtasks.exe PID 536 wrote to memory of 1048 536 cmd.exe schtasks.exe PID 536 wrote to memory of 1048 536 cmd.exe schtasks.exe PID 2032 wrote to memory of 1164 2032 cmd.exe timeout.exe PID 2032 wrote to memory of 1164 2032 cmd.exe timeout.exe PID 2032 wrote to memory of 1164 2032 cmd.exe timeout.exe PID 2032 wrote to memory of 1164 2032 cmd.exe timeout.exe PID 2032 wrote to memory of 340 2032 cmd.exe iconfx.exe PID 2032 wrote to memory of 340 2032 cmd.exe iconfx.exe PID 2032 wrote to memory of 340 2032 cmd.exe iconfx.exe PID 2032 wrote to memory of 340 2032 cmd.exe iconfx.exe PID 340 wrote to memory of 1252 340 iconfx.exe iconfx.exe PID 340 wrote to memory of 1252 340 iconfx.exe iconfx.exe PID 340 wrote to memory of 1252 340 iconfx.exe iconfx.exe PID 340 wrote to memory of 1252 340 iconfx.exe iconfx.exe PID 340 wrote to memory of 1252 340 iconfx.exe iconfx.exe PID 340 wrote to memory of 1252 340 iconfx.exe iconfx.exe PID 340 wrote to memory of 1252 340 iconfx.exe iconfx.exe PID 340 wrote to memory of 1252 340 iconfx.exe iconfx.exe PID 340 wrote to memory of 1252 340 iconfx.exe iconfx.exe PID 340 wrote to memory of 1956 340 iconfx.exe WerFault.exe PID 340 wrote to memory of 1956 340 iconfx.exe WerFault.exe PID 340 wrote to memory of 1956 340 iconfx.exe WerFault.exe PID 340 wrote to memory of 1956 340 iconfx.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\02179909185ee25814dd4ea226540021.exe"C:\Users\Admin\AppData\Local\Temp\02179909185ee25814dd4ea226540021.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\02179909185ee25814dd4ea226540021.exe"C:\Users\Admin\AppData\Local\Temp\02179909185ee25814dd4ea226540021.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "iconfx" /tr '"C:\Users\Admin\AppData\Roaming\iconfx.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "iconfx" /tr '"C:\Users\Admin\AppData\Roaming\iconfx.exe"'4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA5B1.tmp.bat""3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\iconfx.exe"C:\Users\Admin\AppData\Roaming\iconfx.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\iconfx.exe"C:\Users\Admin\AppData\Roaming\iconfx.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 340 -s 6525⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 6402⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpA5B1.tmp.batMD5
dd7704c0c8e9db5773798b04f3b7f03b
SHA1618e0ec5ace70ac4b2b964b6cfcd0dbb093b5239
SHA2563813aad92cfc150874b5f02d950bac0c2c7793ceec7b3009501f52d29581d1b2
SHA512159d37bfb2471671b3e1acd443d219f90a01b7c2ebd3926f2a60dffd26cfced8ee29da220704307d1d22158e4e174085938f96b2c76ae80672a489a265898220
-
C:\Users\Admin\AppData\Roaming\iconfx.exeMD5
02179909185ee25814dd4ea226540021
SHA1d54bd08e2c4b7aa3971eff0ee15ac064889c1f5b
SHA256aebf016b75a0461729b84255f307d279a60675a8769affdb69f9ad68ba9b86b3
SHA5126933dcc2d81d62d12756436df4f8bde39fe1ccb868b73a323153dbb360059cb82111d5ff134c43269879cf8dbb9b69a17732fccbfa927295e87a82831dea9105
-
C:\Users\Admin\AppData\Roaming\iconfx.exeMD5
02179909185ee25814dd4ea226540021
SHA1d54bd08e2c4b7aa3971eff0ee15ac064889c1f5b
SHA256aebf016b75a0461729b84255f307d279a60675a8769affdb69f9ad68ba9b86b3
SHA5126933dcc2d81d62d12756436df4f8bde39fe1ccb868b73a323153dbb360059cb82111d5ff134c43269879cf8dbb9b69a17732fccbfa927295e87a82831dea9105
-
C:\Users\Admin\AppData\Roaming\iconfx.exeMD5
02179909185ee25814dd4ea226540021
SHA1d54bd08e2c4b7aa3971eff0ee15ac064889c1f5b
SHA256aebf016b75a0461729b84255f307d279a60675a8769affdb69f9ad68ba9b86b3
SHA5126933dcc2d81d62d12756436df4f8bde39fe1ccb868b73a323153dbb360059cb82111d5ff134c43269879cf8dbb9b69a17732fccbfa927295e87a82831dea9105
-
\Users\Admin\AppData\Roaming\iconfx.exeMD5
02179909185ee25814dd4ea226540021
SHA1d54bd08e2c4b7aa3971eff0ee15ac064889c1f5b
SHA256aebf016b75a0461729b84255f307d279a60675a8769affdb69f9ad68ba9b86b3
SHA5126933dcc2d81d62d12756436df4f8bde39fe1ccb868b73a323153dbb360059cb82111d5ff134c43269879cf8dbb9b69a17732fccbfa927295e87a82831dea9105
-
\Users\Admin\AppData\Roaming\iconfx.exeMD5
02179909185ee25814dd4ea226540021
SHA1d54bd08e2c4b7aa3971eff0ee15ac064889c1f5b
SHA256aebf016b75a0461729b84255f307d279a60675a8769affdb69f9ad68ba9b86b3
SHA5126933dcc2d81d62d12756436df4f8bde39fe1ccb868b73a323153dbb360059cb82111d5ff134c43269879cf8dbb9b69a17732fccbfa927295e87a82831dea9105
-
\Users\Admin\AppData\Roaming\iconfx.exeMD5
02179909185ee25814dd4ea226540021
SHA1d54bd08e2c4b7aa3971eff0ee15ac064889c1f5b
SHA256aebf016b75a0461729b84255f307d279a60675a8769affdb69f9ad68ba9b86b3
SHA5126933dcc2d81d62d12756436df4f8bde39fe1ccb868b73a323153dbb360059cb82111d5ff134c43269879cf8dbb9b69a17732fccbfa927295e87a82831dea9105
-
\Users\Admin\AppData\Roaming\iconfx.exeMD5
02179909185ee25814dd4ea226540021
SHA1d54bd08e2c4b7aa3971eff0ee15ac064889c1f5b
SHA256aebf016b75a0461729b84255f307d279a60675a8769affdb69f9ad68ba9b86b3
SHA5126933dcc2d81d62d12756436df4f8bde39fe1ccb868b73a323153dbb360059cb82111d5ff134c43269879cf8dbb9b69a17732fccbfa927295e87a82831dea9105
-
\Users\Admin\AppData\Roaming\iconfx.exeMD5
02179909185ee25814dd4ea226540021
SHA1d54bd08e2c4b7aa3971eff0ee15ac064889c1f5b
SHA256aebf016b75a0461729b84255f307d279a60675a8769affdb69f9ad68ba9b86b3
SHA5126933dcc2d81d62d12756436df4f8bde39fe1ccb868b73a323153dbb360059cb82111d5ff134c43269879cf8dbb9b69a17732fccbfa927295e87a82831dea9105
-
\Users\Admin\AppData\Roaming\iconfx.exeMD5
02179909185ee25814dd4ea226540021
SHA1d54bd08e2c4b7aa3971eff0ee15ac064889c1f5b
SHA256aebf016b75a0461729b84255f307d279a60675a8769affdb69f9ad68ba9b86b3
SHA5126933dcc2d81d62d12756436df4f8bde39fe1ccb868b73a323153dbb360059cb82111d5ff134c43269879cf8dbb9b69a17732fccbfa927295e87a82831dea9105
-
\Users\Admin\AppData\Roaming\iconfx.exeMD5
02179909185ee25814dd4ea226540021
SHA1d54bd08e2c4b7aa3971eff0ee15ac064889c1f5b
SHA256aebf016b75a0461729b84255f307d279a60675a8769affdb69f9ad68ba9b86b3
SHA5126933dcc2d81d62d12756436df4f8bde39fe1ccb868b73a323153dbb360059cb82111d5ff134c43269879cf8dbb9b69a17732fccbfa927295e87a82831dea9105
-
memory/340-81-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/340-82-0x0000000004800000-0x0000000004801000-memory.dmpFilesize
4KB
-
memory/340-79-0x0000000000000000-mapping.dmp
-
memory/536-71-0x0000000000000000-mapping.dmp
-
memory/684-70-0x0000000004810000-0x0000000004811000-memory.dmpFilesize
4KB
-
memory/684-69-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/684-64-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/684-63-0x000000000040C6FE-mapping.dmp
-
memory/684-62-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1048-73-0x0000000000000000-mapping.dmp
-
memory/1164-75-0x0000000000000000-mapping.dmp
-
memory/1252-85-0x000000000040C6FE-mapping.dmp
-
memory/1472-59-0x0000000000C00000-0x0000000000C01000-memory.dmpFilesize
4KB
-
memory/1472-66-0x00000000003D0000-0x00000000003D3000-memory.dmpFilesize
12KB
-
memory/1472-61-0x0000000000290000-0x00000000002A1000-memory.dmpFilesize
68KB
-
memory/1472-60-0x0000000004E90000-0x0000000004E91000-memory.dmpFilesize
4KB
-
memory/1596-68-0x00000000005E0000-0x00000000005E1000-memory.dmpFilesize
4KB
-
memory/1596-67-0x0000000000000000-mapping.dmp
-
memory/1956-88-0x0000000000000000-mapping.dmp
-
memory/1956-94-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/2032-72-0x0000000000000000-mapping.dmp