Analysis
-
max time kernel
146s -
max time network
156s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15-09-2021 08:26
Static task
static1
Behavioral task
behavioral1
Sample
e136f191f0f60e3468e4d2544593790b.exe
Resource
win7-en
Behavioral task
behavioral2
Sample
e136f191f0f60e3468e4d2544593790b.exe
Resource
win10v20210408
General
-
Target
e136f191f0f60e3468e4d2544593790b.exe
-
Size
586KB
-
MD5
e136f191f0f60e3468e4d2544593790b
-
SHA1
4c9f0804d19fd54de4c8ad8d0c4d8b9f60563d8c
-
SHA256
88b664a4ced04195d83f1964093c0a689fc174522ad9e8f8443d70a7f22cc757
-
SHA512
d348b6c23bc4f56b4632875b199bedae025df2f71012e4d3a2a7d26d75b762df840d6daf0c13ba7d843caf4417e669a87930c3fabb01bead4e2e100eb3348874
Malware Config
Extracted
asyncrat
0.5.7B
WIRE$$$$$$$$
severdops.ddns.net:6204
AsyncMutex_6SI8OkPnk
-
anti_vm
false
-
bsod
false
-
delay
3
-
install
true
-
install_file
iconfx.exe
-
install_folder
%AppData%
-
pastebin_config
null
Signatures
-
Async RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3496-120-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral2/memory/3496-121-0x000000000040C6FE-mapping.dmp asyncrat behavioral2/memory/3156-142-0x000000000040C6FE-mapping.dmp asyncrat -
Executes dropped EXE 2 IoCs
Processes:
iconfx.exeiconfx.exepid process 1224 iconfx.exe 3156 iconfx.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
e136f191f0f60e3468e4d2544593790b.exeiconfx.exedescription pid process target process PID 572 set thread context of 3496 572 e136f191f0f60e3468e4d2544593790b.exe e136f191f0f60e3468e4d2544593790b.exe PID 1224 set thread context of 3156 1224 iconfx.exe iconfx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2980 572 WerFault.exe e136f191f0f60e3468e4d2544593790b.exe 888 1224 WerFault.exe iconfx.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1188 timeout.exe -
Suspicious behavior: EnumeratesProcesses 41 IoCs
Processes:
WerFault.exee136f191f0f60e3468e4d2544593790b.exeWerFault.exepid process 2980 WerFault.exe 2980 WerFault.exe 2980 WerFault.exe 2980 WerFault.exe 2980 WerFault.exe 2980 WerFault.exe 2980 WerFault.exe 2980 WerFault.exe 2980 WerFault.exe 2980 WerFault.exe 2980 WerFault.exe 2980 WerFault.exe 2980 WerFault.exe 3496 e136f191f0f60e3468e4d2544593790b.exe 3496 e136f191f0f60e3468e4d2544593790b.exe 3496 e136f191f0f60e3468e4d2544593790b.exe 3496 e136f191f0f60e3468e4d2544593790b.exe 3496 e136f191f0f60e3468e4d2544593790b.exe 3496 e136f191f0f60e3468e4d2544593790b.exe 3496 e136f191f0f60e3468e4d2544593790b.exe 3496 e136f191f0f60e3468e4d2544593790b.exe 3496 e136f191f0f60e3468e4d2544593790b.exe 3496 e136f191f0f60e3468e4d2544593790b.exe 3496 e136f191f0f60e3468e4d2544593790b.exe 3496 e136f191f0f60e3468e4d2544593790b.exe 3496 e136f191f0f60e3468e4d2544593790b.exe 888 WerFault.exe 888 WerFault.exe 888 WerFault.exe 888 WerFault.exe 888 WerFault.exe 888 WerFault.exe 888 WerFault.exe 888 WerFault.exe 888 WerFault.exe 888 WerFault.exe 888 WerFault.exe 888 WerFault.exe 888 WerFault.exe 888 WerFault.exe 888 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
e136f191f0f60e3468e4d2544593790b.exeWerFault.exee136f191f0f60e3468e4d2544593790b.exeiconfx.exeWerFault.exeiconfx.exedescription pid process Token: SeDebugPrivilege 572 e136f191f0f60e3468e4d2544593790b.exe Token: SeRestorePrivilege 2980 WerFault.exe Token: SeBackupPrivilege 2980 WerFault.exe Token: SeDebugPrivilege 2980 WerFault.exe Token: SeDebugPrivilege 3496 e136f191f0f60e3468e4d2544593790b.exe Token: SeDebugPrivilege 1224 iconfx.exe Token: SeDebugPrivilege 888 WerFault.exe Token: SeDebugPrivilege 3156 iconfx.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
e136f191f0f60e3468e4d2544593790b.exee136f191f0f60e3468e4d2544593790b.execmd.execmd.exeiconfx.exedescription pid process target process PID 572 wrote to memory of 3496 572 e136f191f0f60e3468e4d2544593790b.exe e136f191f0f60e3468e4d2544593790b.exe PID 572 wrote to memory of 3496 572 e136f191f0f60e3468e4d2544593790b.exe e136f191f0f60e3468e4d2544593790b.exe PID 572 wrote to memory of 3496 572 e136f191f0f60e3468e4d2544593790b.exe e136f191f0f60e3468e4d2544593790b.exe PID 572 wrote to memory of 3496 572 e136f191f0f60e3468e4d2544593790b.exe e136f191f0f60e3468e4d2544593790b.exe PID 572 wrote to memory of 3496 572 e136f191f0f60e3468e4d2544593790b.exe e136f191f0f60e3468e4d2544593790b.exe PID 572 wrote to memory of 3496 572 e136f191f0f60e3468e4d2544593790b.exe e136f191f0f60e3468e4d2544593790b.exe PID 572 wrote to memory of 3496 572 e136f191f0f60e3468e4d2544593790b.exe e136f191f0f60e3468e4d2544593790b.exe PID 572 wrote to memory of 3496 572 e136f191f0f60e3468e4d2544593790b.exe e136f191f0f60e3468e4d2544593790b.exe PID 3496 wrote to memory of 3176 3496 e136f191f0f60e3468e4d2544593790b.exe cmd.exe PID 3496 wrote to memory of 3176 3496 e136f191f0f60e3468e4d2544593790b.exe cmd.exe PID 3496 wrote to memory of 3176 3496 e136f191f0f60e3468e4d2544593790b.exe cmd.exe PID 3496 wrote to memory of 848 3496 e136f191f0f60e3468e4d2544593790b.exe cmd.exe PID 3496 wrote to memory of 848 3496 e136f191f0f60e3468e4d2544593790b.exe cmd.exe PID 3496 wrote to memory of 848 3496 e136f191f0f60e3468e4d2544593790b.exe cmd.exe PID 3176 wrote to memory of 800 3176 cmd.exe schtasks.exe PID 3176 wrote to memory of 800 3176 cmd.exe schtasks.exe PID 3176 wrote to memory of 800 3176 cmd.exe schtasks.exe PID 848 wrote to memory of 1188 848 cmd.exe timeout.exe PID 848 wrote to memory of 1188 848 cmd.exe timeout.exe PID 848 wrote to memory of 1188 848 cmd.exe timeout.exe PID 848 wrote to memory of 1224 848 cmd.exe iconfx.exe PID 848 wrote to memory of 1224 848 cmd.exe iconfx.exe PID 848 wrote to memory of 1224 848 cmd.exe iconfx.exe PID 1224 wrote to memory of 3156 1224 iconfx.exe iconfx.exe PID 1224 wrote to memory of 3156 1224 iconfx.exe iconfx.exe PID 1224 wrote to memory of 3156 1224 iconfx.exe iconfx.exe PID 1224 wrote to memory of 3156 1224 iconfx.exe iconfx.exe PID 1224 wrote to memory of 3156 1224 iconfx.exe iconfx.exe PID 1224 wrote to memory of 3156 1224 iconfx.exe iconfx.exe PID 1224 wrote to memory of 3156 1224 iconfx.exe iconfx.exe PID 1224 wrote to memory of 3156 1224 iconfx.exe iconfx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e136f191f0f60e3468e4d2544593790b.exe"C:\Users\Admin\AppData\Local\Temp\e136f191f0f60e3468e4d2544593790b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e136f191f0f60e3468e4d2544593790b.exe"C:\Users\Admin\AppData\Local\Temp\e136f191f0f60e3468e4d2544593790b.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "iconfx" /tr '"C:\Users\Admin\AppData\Roaming\iconfx.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "iconfx" /tr '"C:\Users\Admin\AppData\Roaming\iconfx.exe"'4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD324.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\iconfx.exe"C:\Users\Admin\AppData\Roaming\iconfx.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\iconfx.exe"C:\Users\Admin\AppData\Roaming\iconfx.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 11125⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 572 -s 10802⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpD324.tmp.batMD5
d347d378f7c2a712143cc99e0451204b
SHA1bb1adf8088e0092368135a2a2aa8d7980a52fe06
SHA256341a3e6e5b9984d589d9a880177ad8d243b816a354304a842d07df5083fe77cf
SHA512ecfbb358fdce9b34547f7936f6041ecc1fe78a02b5d5ed1c07bf8217ac10481420aee34bedd38196e877f0d6ec56775d8dc816df526b4d81acc5443f4c99d2f5
-
C:\Users\Admin\AppData\Roaming\iconfx.exeMD5
e136f191f0f60e3468e4d2544593790b
SHA14c9f0804d19fd54de4c8ad8d0c4d8b9f60563d8c
SHA25688b664a4ced04195d83f1964093c0a689fc174522ad9e8f8443d70a7f22cc757
SHA512d348b6c23bc4f56b4632875b199bedae025df2f71012e4d3a2a7d26d75b762df840d6daf0c13ba7d843caf4417e669a87930c3fabb01bead4e2e100eb3348874
-
C:\Users\Admin\AppData\Roaming\iconfx.exeMD5
e136f191f0f60e3468e4d2544593790b
SHA14c9f0804d19fd54de4c8ad8d0c4d8b9f60563d8c
SHA25688b664a4ced04195d83f1964093c0a689fc174522ad9e8f8443d70a7f22cc757
SHA512d348b6c23bc4f56b4632875b199bedae025df2f71012e4d3a2a7d26d75b762df840d6daf0c13ba7d843caf4417e669a87930c3fabb01bead4e2e100eb3348874
-
C:\Users\Admin\AppData\Roaming\iconfx.exeMD5
e136f191f0f60e3468e4d2544593790b
SHA14c9f0804d19fd54de4c8ad8d0c4d8b9f60563d8c
SHA25688b664a4ced04195d83f1964093c0a689fc174522ad9e8f8443d70a7f22cc757
SHA512d348b6c23bc4f56b4632875b199bedae025df2f71012e4d3a2a7d26d75b762df840d6daf0c13ba7d843caf4417e669a87930c3fabb01bead4e2e100eb3348874
-
memory/572-119-0x00000000024F0000-0x0000000002501000-memory.dmpFilesize
68KB
-
memory/572-116-0x0000000004B10000-0x0000000004B11000-memory.dmpFilesize
4KB
-
memory/572-115-0x0000000005100000-0x0000000005101000-memory.dmpFilesize
4KB
-
memory/572-114-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/572-122-0x0000000004A90000-0x0000000004A93000-memory.dmpFilesize
12KB
-
memory/572-117-0x0000000004A70000-0x0000000004B02000-memory.dmpFilesize
584KB
-
memory/572-118-0x0000000004D10000-0x0000000004D11000-memory.dmpFilesize
4KB
-
memory/800-129-0x0000000000000000-mapping.dmp
-
memory/848-128-0x0000000000000000-mapping.dmp
-
memory/1188-131-0x0000000000000000-mapping.dmp
-
memory/1224-132-0x0000000000000000-mapping.dmp
-
memory/1224-138-0x00000000051C0000-0x00000000056BE000-memory.dmpFilesize
5.0MB
-
memory/3156-142-0x000000000040C6FE-mapping.dmp
-
memory/3156-147-0x00000000054A0000-0x00000000054A1000-memory.dmpFilesize
4KB
-
memory/3176-127-0x0000000000000000-mapping.dmp
-
memory/3496-125-0x0000000004F60000-0x0000000004F61000-memory.dmpFilesize
4KB
-
memory/3496-121-0x000000000040C6FE-mapping.dmp
-
memory/3496-120-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB