Analysis
-
max time kernel
119s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
21-10-2021 20:00
Static task
static1
Behavioral task
behavioral1
Sample
15a5548e976f9a8ffad4c6eb397cf52d.exe
Resource
win7-en-20211014
General
-
Target
15a5548e976f9a8ffad4c6eb397cf52d.exe
-
Size
253KB
-
MD5
15a5548e976f9a8ffad4c6eb397cf52d
-
SHA1
a2b8e4e54cdc9b4f4565674cce538734288f82e5
-
SHA256
0ca4b3b694d6b317ab8df7c8f63198c7d696b9c238af5b9d83074670f4ed384b
-
SHA512
0f62e13137cae54313fe7acfafa8ac3166ddd58589102847e5df3e55830992a355c5cda4a5c891580f6e513242fc89b4458e19d58262fb3fbac3d0f92fbdd9b0
Malware Config
Extracted
asyncrat
0.5.7B
Default
dgrthdg.duckdns.org:1884
AsyncMutex_6SI8OkPnk
-
anti_vm
false
-
bsod
false
-
delay
3
-
install
false
-
install_file
chrome.exe
-
install_folder
%AppData%
-
pastebin_config
null
Signatures
-
Async RAT payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1332-67-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1332-66-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1332-68-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1332-69-0x000000000040C74E-mapping.dmp asyncrat behavioral1/memory/1332-72-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
Processes:
InstallUtil.exepid process 1332 InstallUtil.exe -
Loads dropped DLL 1 IoCs
Processes:
15a5548e976f9a8ffad4c6eb397cf52d.exepid process 1232 15a5548e976f9a8ffad4c6eb397cf52d.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
15a5548e976f9a8ffad4c6eb397cf52d.exedescription pid process target process PID 1232 set thread context of 1332 1232 15a5548e976f9a8ffad4c6eb397cf52d.exe InstallUtil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
15a5548e976f9a8ffad4c6eb397cf52d.exepowershell.exepid process 1232 15a5548e976f9a8ffad4c6eb397cf52d.exe 1232 15a5548e976f9a8ffad4c6eb397cf52d.exe 1372 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
15a5548e976f9a8ffad4c6eb397cf52d.exepowershell.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 1232 15a5548e976f9a8ffad4c6eb397cf52d.exe Token: SeDebugPrivilege 1372 powershell.exe Token: SeDebugPrivilege 1332 InstallUtil.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
15a5548e976f9a8ffad4c6eb397cf52d.exeWScript.exedescription pid process target process PID 1232 wrote to memory of 616 1232 15a5548e976f9a8ffad4c6eb397cf52d.exe WScript.exe PID 1232 wrote to memory of 616 1232 15a5548e976f9a8ffad4c6eb397cf52d.exe WScript.exe PID 1232 wrote to memory of 616 1232 15a5548e976f9a8ffad4c6eb397cf52d.exe WScript.exe PID 1232 wrote to memory of 616 1232 15a5548e976f9a8ffad4c6eb397cf52d.exe WScript.exe PID 1232 wrote to memory of 1332 1232 15a5548e976f9a8ffad4c6eb397cf52d.exe InstallUtil.exe PID 1232 wrote to memory of 1332 1232 15a5548e976f9a8ffad4c6eb397cf52d.exe InstallUtil.exe PID 1232 wrote to memory of 1332 1232 15a5548e976f9a8ffad4c6eb397cf52d.exe InstallUtil.exe PID 1232 wrote to memory of 1332 1232 15a5548e976f9a8ffad4c6eb397cf52d.exe InstallUtil.exe PID 1232 wrote to memory of 1332 1232 15a5548e976f9a8ffad4c6eb397cf52d.exe InstallUtil.exe PID 1232 wrote to memory of 1332 1232 15a5548e976f9a8ffad4c6eb397cf52d.exe InstallUtil.exe PID 1232 wrote to memory of 1332 1232 15a5548e976f9a8ffad4c6eb397cf52d.exe InstallUtil.exe PID 1232 wrote to memory of 1332 1232 15a5548e976f9a8ffad4c6eb397cf52d.exe InstallUtil.exe PID 1232 wrote to memory of 1332 1232 15a5548e976f9a8ffad4c6eb397cf52d.exe InstallUtil.exe PID 1232 wrote to memory of 1332 1232 15a5548e976f9a8ffad4c6eb397cf52d.exe InstallUtil.exe PID 1232 wrote to memory of 1332 1232 15a5548e976f9a8ffad4c6eb397cf52d.exe InstallUtil.exe PID 1232 wrote to memory of 1332 1232 15a5548e976f9a8ffad4c6eb397cf52d.exe InstallUtil.exe PID 616 wrote to memory of 1372 616 WScript.exe powershell.exe PID 616 wrote to memory of 1372 616 WScript.exe powershell.exe PID 616 wrote to memory of 1372 616 WScript.exe powershell.exe PID 616 wrote to memory of 1372 616 WScript.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\15a5548e976f9a8ffad4c6eb397cf52d.exe"C:\Users\Admin\AppData\Local\Temp\15a5548e976f9a8ffad4c6eb397cf52d.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Iotqmhyqaibqqffzysgbm.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Downloads\iobituninstaller.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeC:\Users\Admin\AppData\Local\Temp\InstallUtil.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeMD5
91c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeMD5
91c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
C:\Users\Admin\AppData\Local\Temp\_Iotqmhyqaibqqffzysgbm.vbsMD5
5688b2eb801a351378401ff15237c20f
SHA15cbf0e609ac127d8d4bcdff972cdc61a310b702a
SHA256fcd85a624694b7643dfa007fcff9d14c0fa18b311a9add2cabf6d8f81541b3ce
SHA512d5a72caed29e8c362770d131a139d2c143d5b898f25b04d56b76f1ebec206faaebbd2343407e6d7204665f7e1986b7a3861b31d7859208b6979094e387775dba
-
\Users\Admin\AppData\Local\Temp\InstallUtil.exeMD5
91c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
memory/616-62-0x0000000075821000-0x0000000075823000-memory.dmpFilesize
8KB
-
memory/616-59-0x0000000000000000-mapping.dmp
-
memory/1232-57-0x00000000009B0000-0x00000000009EA000-memory.dmpFilesize
232KB
-
memory/1232-55-0x0000000000DE0000-0x0000000000DE1000-memory.dmpFilesize
4KB
-
memory/1232-60-0x0000000000C90000-0x0000000000CA2000-memory.dmpFilesize
72KB
-
memory/1232-58-0x0000000000AD0000-0x0000000000AD1000-memory.dmpFilesize
4KB
-
memory/1332-66-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1332-65-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1332-68-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1332-67-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1332-69-0x000000000040C74E-mapping.dmp
-
memory/1332-64-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1332-72-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1332-80-0x0000000000340000-0x0000000000341000-memory.dmpFilesize
4KB
-
memory/1372-74-0x0000000000000000-mapping.dmp
-
memory/1372-77-0x00000000025D0000-0x000000000321A000-memory.dmpFilesize
12.3MB
-
memory/1372-78-0x00000000025D0000-0x000000000321A000-memory.dmpFilesize
12.3MB
-
memory/1372-76-0x00000000025D0000-0x000000000321A000-memory.dmpFilesize
12.3MB