Analysis
-
max time kernel
118s -
max time network
153s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
28-09-2021 05:22
Static task
static1
Behavioral task
behavioral1
Sample
133c10454108aa86301f79a03aa24046.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
133c10454108aa86301f79a03aa24046.exe
Resource
win10-en-20210920
General
-
Target
133c10454108aa86301f79a03aa24046.exe
-
Size
650KB
-
MD5
133c10454108aa86301f79a03aa24046
-
SHA1
21439179cb8700406d57332079ab311d08b0c9bf
-
SHA256
de0cb500125d733becbdeb53cf7b3f1bace4dc91e54805007718970124ef6797
-
SHA512
8b2a492a5732c89c2e347270e9b1df4db26b79fefd6feae115b35a22b0851c7973fb0ecc9b6c6187791bf720d71a7b69374d81abf63f0ed73faed4efbee79fbe
Malware Config
Extracted
asyncrat
0.5.7B
18
185.157.160.136:1973
df4Rtg34dFjwr
-
anti_vm
false
-
bsod
false
-
delay
3
-
install
false
-
install_folder
%AppData%
-
pastebin_config
null
Signatures
-
Async RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2420-118-0x000000000040C68E-mapping.dmp asyncrat behavioral2/memory/2420-117-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral2/memory/2420-126-0x0000000002820000-0x000000000283B000-memory.dmp asyncrat -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
133c10454108aa86301f79a03aa24046.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run 133c10454108aa86301f79a03aa24046.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\cp = "C:\\Users\\Admin\\AppData\\Roaming\\cf\\ct.exe" 133c10454108aa86301f79a03aa24046.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
133c10454108aa86301f79a03aa24046.exedescription pid process target process PID 2160 set thread context of 2420 2160 133c10454108aa86301f79a03aa24046.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
RegAsm.exepid process 2420 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 2420 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
133c10454108aa86301f79a03aa24046.exepid process 2160 133c10454108aa86301f79a03aa24046.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
133c10454108aa86301f79a03aa24046.exeRegAsm.execmd.exedescription pid process target process PID 2160 wrote to memory of 2420 2160 133c10454108aa86301f79a03aa24046.exe RegAsm.exe PID 2160 wrote to memory of 2420 2160 133c10454108aa86301f79a03aa24046.exe RegAsm.exe PID 2160 wrote to memory of 2420 2160 133c10454108aa86301f79a03aa24046.exe RegAsm.exe PID 2160 wrote to memory of 2420 2160 133c10454108aa86301f79a03aa24046.exe RegAsm.exe PID 2160 wrote to memory of 2420 2160 133c10454108aa86301f79a03aa24046.exe RegAsm.exe PID 2160 wrote to memory of 2420 2160 133c10454108aa86301f79a03aa24046.exe RegAsm.exe PID 2160 wrote to memory of 2420 2160 133c10454108aa86301f79a03aa24046.exe RegAsm.exe PID 2160 wrote to memory of 2420 2160 133c10454108aa86301f79a03aa24046.exe RegAsm.exe PID 2420 wrote to memory of 2296 2420 RegAsm.exe cmd.exe PID 2420 wrote to memory of 2296 2420 RegAsm.exe cmd.exe PID 2420 wrote to memory of 2296 2420 RegAsm.exe cmd.exe PID 2296 wrote to memory of 1328 2296 cmd.exe powershell.exe PID 2296 wrote to memory of 1328 2296 cmd.exe powershell.exe PID 2296 wrote to memory of 1328 2296 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\133c10454108aa86301f79a03aa24046.exe"C:\Users\Admin\AppData\Local\Temp\133c10454108aa86301f79a03aa24046.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\hrvlqn.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\hrvlqn.exe"'4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1328-129-0x0000000000000000-mapping.dmp
-
memory/2296-128-0x0000000000000000-mapping.dmp
-
memory/2420-118-0x000000000040C68E-mapping.dmp
-
memory/2420-117-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2420-121-0x0000000004ED0000-0x0000000004ED1000-memory.dmpFilesize
4KB
-
memory/2420-122-0x0000000005890000-0x0000000005891000-memory.dmpFilesize
4KB
-
memory/2420-123-0x0000000005E30000-0x0000000005E31000-memory.dmpFilesize
4KB
-
memory/2420-124-0x0000000005930000-0x0000000005931000-memory.dmpFilesize
4KB
-
memory/2420-125-0x00000000068B0000-0x00000000068B1000-memory.dmpFilesize
4KB
-
memory/2420-126-0x0000000002820000-0x000000000283B000-memory.dmpFilesize
108KB
-
memory/2420-127-0x00000000028A0000-0x00000000028A1000-memory.dmpFilesize
4KB