Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
26-09-2021 21:42
Behavioral task
behavioral1
Sample
3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.exe
Resource
win7-en-20210920
General
-
Target
3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.exe
-
Size
48KB
-
MD5
852b69a95f1ae83d9142fced3450977b
-
SHA1
a48b15998be1e979530994675da17566d1769769
-
SHA256
3b599cc4dbedac85f9d2e5e4f1b96110f05835bbdfb0c01a84bdaaec79885a19
-
SHA512
23b4602cbcd8abd3c78953e07301daaaaa5e7ff2ea1abba28cecfecd3e6522f0a31a97f7b537c98d2a3a00671b8c9b1d06d0b9e63f9e8359a9395081f1d2f8c9
Malware Config
Signatures
-
Async RAT payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Gruop.exe asyncrat C:\Users\Admin\AppData\Roaming\Gruop.exe asyncrat C:\Users\Admin\AppData\Roaming\Gruop.exe asyncrat -
Executes dropped EXE 1 IoCs
Processes:
Gruop.exepid process 1660 Gruop.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1620 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 884 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.exepid process 2004 3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.exe 2004 3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.exeGruop.exedescription pid process Token: SeDebugPrivilege 2004 3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.exe Token: SeDebugPrivilege 1660 Gruop.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.execmd.execmd.exedescription pid process target process PID 2004 wrote to memory of 1464 2004 3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.exe cmd.exe PID 2004 wrote to memory of 1464 2004 3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.exe cmd.exe PID 2004 wrote to memory of 1464 2004 3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.exe cmd.exe PID 2004 wrote to memory of 1464 2004 3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.exe cmd.exe PID 2004 wrote to memory of 1620 2004 3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.exe cmd.exe PID 2004 wrote to memory of 1620 2004 3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.exe cmd.exe PID 2004 wrote to memory of 1620 2004 3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.exe cmd.exe PID 2004 wrote to memory of 1620 2004 3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.exe cmd.exe PID 1464 wrote to memory of 1244 1464 cmd.exe schtasks.exe PID 1464 wrote to memory of 1244 1464 cmd.exe schtasks.exe PID 1464 wrote to memory of 1244 1464 cmd.exe schtasks.exe PID 1464 wrote to memory of 1244 1464 cmd.exe schtasks.exe PID 1620 wrote to memory of 884 1620 cmd.exe timeout.exe PID 1620 wrote to memory of 884 1620 cmd.exe timeout.exe PID 1620 wrote to memory of 884 1620 cmd.exe timeout.exe PID 1620 wrote to memory of 884 1620 cmd.exe timeout.exe PID 1620 wrote to memory of 1660 1620 cmd.exe Gruop.exe PID 1620 wrote to memory of 1660 1620 cmd.exe Gruop.exe PID 1620 wrote to memory of 1660 1620 cmd.exe Gruop.exe PID 1620 wrote to memory of 1660 1620 cmd.exe Gruop.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.exe"C:\Users\Admin\AppData\Local\Temp\3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Gruop" /tr '"C:\Users\Admin\AppData\Roaming\Gruop.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Gruop" /tr '"C:\Users\Admin\AppData\Roaming\Gruop.exe"'3⤵
- Creates scheduled task(s)
PID:1244
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC419.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:884
-
-
C:\Users\Admin\AppData\Roaming\Gruop.exe"C:\Users\Admin\AppData\Roaming\Gruop.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
94e73be66903345c3466defe6a4592c2
SHA1530edb3f35608b7f0ea0254386e09ec9a4dfdbaf
SHA25678ede8346480126568857dea2b0a87d5d9356b26fe5c431cd6c976ace2398cc1
SHA512c17bb6c9eb830f416d9ec45611aa6f2e4b6b8744e98485f5e222f884f72048bd4ecfe5fed09d422a8e57e0b5c3317dfc8dfdce971ed0c7913cb0885cf3095d41
-
MD5
852b69a95f1ae83d9142fced3450977b
SHA1a48b15998be1e979530994675da17566d1769769
SHA2563b599cc4dbedac85f9d2e5e4f1b96110f05835bbdfb0c01a84bdaaec79885a19
SHA51223b4602cbcd8abd3c78953e07301daaaaa5e7ff2ea1abba28cecfecd3e6522f0a31a97f7b537c98d2a3a00671b8c9b1d06d0b9e63f9e8359a9395081f1d2f8c9
-
MD5
852b69a95f1ae83d9142fced3450977b
SHA1a48b15998be1e979530994675da17566d1769769
SHA2563b599cc4dbedac85f9d2e5e4f1b96110f05835bbdfb0c01a84bdaaec79885a19
SHA51223b4602cbcd8abd3c78953e07301daaaaa5e7ff2ea1abba28cecfecd3e6522f0a31a97f7b537c98d2a3a00671b8c9b1d06d0b9e63f9e8359a9395081f1d2f8c9
-
MD5
852b69a95f1ae83d9142fced3450977b
SHA1a48b15998be1e979530994675da17566d1769769
SHA2563b599cc4dbedac85f9d2e5e4f1b96110f05835bbdfb0c01a84bdaaec79885a19
SHA51223b4602cbcd8abd3c78953e07301daaaaa5e7ff2ea1abba28cecfecd3e6522f0a31a97f7b537c98d2a3a00671b8c9b1d06d0b9e63f9e8359a9395081f1d2f8c9