Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
22-01-2022 14:51
Static task
static1
Behavioral task
behavioral1
Sample
af1e6b53fc3e4679bedd29c25e057b10.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
af1e6b53fc3e4679bedd29c25e057b10.exe
Resource
win10-en-20211208
General
-
Target
af1e6b53fc3e4679bedd29c25e057b10.exe
-
Size
3.9MB
-
MD5
af1e6b53fc3e4679bedd29c25e057b10
-
SHA1
f5a82edb61a2a0c896406b4cc48c9d1bd5bb082e
-
SHA256
bada7e61229d4c6bba936e8b163034b3421680c1f4ebbc69160fc96fc5bdb8ca
-
SHA512
009298300cb8e631c2d28f34268900d8015fe8bbd2e7c21f5eda320a76debea6057a8207d5b30c193f6a182064c4bafeca98ec502a713de70969040191fdedc6
Malware Config
Extracted
asyncrat
0.5.6B
s1995.ddns.net:5000
umgxmwaynloootia
-
anti_vm
false
-
bsod
false
-
delay
5
-
install
true
-
install_file
zwindows.exe
-
install_folder
%AppData%
-
pastebin_config
null
Signatures
-
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/460-80-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
Processes:
update.exewindows.exe9999.exerevil.exezwindows.exepid process 460 update.exe 1120 windows.exe 1196 9999.exe 1936 revil.exe 1372 zwindows.exe -
Loads dropped DLL 5 IoCs
Processes:
af1e6b53fc3e4679bedd29c25e057b10.exewindows.exe9999.execmd.exepid process 1724 af1e6b53fc3e4679bedd29c25e057b10.exe 1724 af1e6b53fc3e4679bedd29c25e057b10.exe 1120 windows.exe 1196 9999.exe 1592 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
af1e6b53fc3e4679bedd29c25e057b10.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\chrome.exe = "C:\\Users\\Admin\\AppData\\Roaming\\start.exe" af1e6b53fc3e4679bedd29c25e057b10.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 756 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
9999.exeupdate.exepid process 1196 9999.exe 460 update.exe 460 update.exe 460 update.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
af1e6b53fc3e4679bedd29c25e057b10.exeupdate.exewindows.exe9999.exerevil.exezwindows.exedescription pid process Token: SeDebugPrivilege 1724 af1e6b53fc3e4679bedd29c25e057b10.exe Token: SeDebugPrivilege 460 update.exe Token: SeDebugPrivilege 1120 windows.exe Token: SeDebugPrivilege 1196 9999.exe Token: SeDebugPrivilege 1936 revil.exe Token: SeDebugPrivilege 1372 zwindows.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
af1e6b53fc3e4679bedd29c25e057b10.exewindows.exe9999.exeupdate.execmd.exedescription pid process target process PID 1724 wrote to memory of 460 1724 af1e6b53fc3e4679bedd29c25e057b10.exe update.exe PID 1724 wrote to memory of 460 1724 af1e6b53fc3e4679bedd29c25e057b10.exe update.exe PID 1724 wrote to memory of 460 1724 af1e6b53fc3e4679bedd29c25e057b10.exe update.exe PID 1724 wrote to memory of 460 1724 af1e6b53fc3e4679bedd29c25e057b10.exe update.exe PID 1724 wrote to memory of 460 1724 af1e6b53fc3e4679bedd29c25e057b10.exe update.exe PID 1724 wrote to memory of 460 1724 af1e6b53fc3e4679bedd29c25e057b10.exe update.exe PID 1724 wrote to memory of 460 1724 af1e6b53fc3e4679bedd29c25e057b10.exe update.exe PID 1724 wrote to memory of 1120 1724 af1e6b53fc3e4679bedd29c25e057b10.exe windows.exe PID 1724 wrote to memory of 1120 1724 af1e6b53fc3e4679bedd29c25e057b10.exe windows.exe PID 1724 wrote to memory of 1120 1724 af1e6b53fc3e4679bedd29c25e057b10.exe windows.exe PID 1724 wrote to memory of 1120 1724 af1e6b53fc3e4679bedd29c25e057b10.exe windows.exe PID 1120 wrote to memory of 1196 1120 windows.exe 9999.exe PID 1120 wrote to memory of 1196 1120 windows.exe 9999.exe PID 1120 wrote to memory of 1196 1120 windows.exe 9999.exe PID 1120 wrote to memory of 1196 1120 windows.exe 9999.exe PID 1196 wrote to memory of 1936 1196 9999.exe revil.exe PID 1196 wrote to memory of 1936 1196 9999.exe revil.exe PID 1196 wrote to memory of 1936 1196 9999.exe revil.exe PID 1196 wrote to memory of 1936 1196 9999.exe revil.exe PID 460 wrote to memory of 1604 460 update.exe schtasks.exe PID 460 wrote to memory of 1604 460 update.exe schtasks.exe PID 460 wrote to memory of 1604 460 update.exe schtasks.exe PID 460 wrote to memory of 1604 460 update.exe schtasks.exe PID 460 wrote to memory of 1592 460 update.exe cmd.exe PID 460 wrote to memory of 1592 460 update.exe cmd.exe PID 460 wrote to memory of 1592 460 update.exe cmd.exe PID 460 wrote to memory of 1592 460 update.exe cmd.exe PID 1592 wrote to memory of 756 1592 cmd.exe timeout.exe PID 1592 wrote to memory of 756 1592 cmd.exe timeout.exe PID 1592 wrote to memory of 756 1592 cmd.exe timeout.exe PID 1592 wrote to memory of 756 1592 cmd.exe timeout.exe PID 1592 wrote to memory of 1372 1592 cmd.exe zwindows.exe PID 1592 wrote to memory of 1372 1592 cmd.exe zwindows.exe PID 1592 wrote to memory of 1372 1592 cmd.exe zwindows.exe PID 1592 wrote to memory of 1372 1592 cmd.exe zwindows.exe PID 1592 wrote to memory of 1372 1592 cmd.exe zwindows.exe PID 1592 wrote to memory of 1372 1592 cmd.exe zwindows.exe PID 1592 wrote to memory of 1372 1592 cmd.exe zwindows.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\af1e6b53fc3e4679bedd29c25e057b10.exe"C:\Users\Admin\AppData\Local\Temp\af1e6b53fc3e4679bedd29c25e057b10.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\update.exe"C:\Users\Admin\AppData\Roaming\update.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'zwindows"' /tr "'C:\Users\Admin\AppData\Roaming\zwindows.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8C0A.tmp.bat""3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\zwindows.exe"C:\Users\Admin\AppData\Roaming\zwindows.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\windows.exe"C:\Users\Admin\AppData\Roaming\windows.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\9999.exe"C:\Users\Admin\AppData\Roaming\9999.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\revil.exe"C:\Users\Admin\AppData\Roaming\revil.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp8C0A.tmp.batMD5
39c3579a0e9a09774df92bb00a20a9c3
SHA19fd8c82be906df1ae46d1b259efa746377b4a662
SHA25694ead1a1ca483b4626123ac734db6a957744b3508a29aa96d7e6795791e4d482
SHA512195146e4584f887cd84fef97bb2203221526419bfbaf07c46db417e39f6d551a514865b5afdfe23435b9a3daa4a849ae7d8fb2aa0ed5ee1dcbc08ecf67d04bf6
-
C:\Users\Admin\AppData\Roaming\9999.exeMD5
ebb19834df87672faa601f9ba028ce93
SHA188dd3c1315142463c822e8282b12486f7798dab8
SHA2562c218163bfb3d1d40ac321918d6dda8a4270954799fd37cdddd987ad209e72f7
SHA512faec54d5fc59324be5f82f067ef1695a36ff72bf1a9dee8c5449cceb05725adcee045a76a3a6fd7a902dc9b2c39fcc8ba3775342ddc63d74fd179db4a5c8c8b4
-
C:\Users\Admin\AppData\Roaming\9999.exeMD5
ebb19834df87672faa601f9ba028ce93
SHA188dd3c1315142463c822e8282b12486f7798dab8
SHA2562c218163bfb3d1d40ac321918d6dda8a4270954799fd37cdddd987ad209e72f7
SHA512faec54d5fc59324be5f82f067ef1695a36ff72bf1a9dee8c5449cceb05725adcee045a76a3a6fd7a902dc9b2c39fcc8ba3775342ddc63d74fd179db4a5c8c8b4
-
C:\Users\Admin\AppData\Roaming\madehaelsayed.txtMD5
a4aaf61a4d83fe1c7b9c639c83132b03
SHA1fcc8e0d244d13d893205217fb880fd153744ef61
SHA256113e563d9f44253127b0d976720a41505069f0b99b7b440acffeaa9b4f65e7c2
SHA51249dc010fade7d57f7089ef7bcd895733d2438f7ef5ba72dae4c5498b7a352fa8eb38310972c00b3ec7e6b5a7f01f2186343d85239e10150b050c9b3d8fd9fe00
-
C:\Users\Admin\AppData\Roaming\revil.exeMD5
3efe8bf4690a1aa786f215b875cbdc20
SHA1b413f210a1b2dc7ff07835a64aafe3e62f998edf
SHA256c67f969c38991ffb634b8b8e21fa71ea39accf1fd92bd0cc9f2bda8daae3dcc2
SHA5129dfec0495a8b7def8321fe81553822f6caa665044fa6b0ebac0ed62922644c40afd20b285d20654e01e2b965b79fa5f4cc8425d201d14ac9ce4c5007c7d059fa
-
C:\Users\Admin\AppData\Roaming\revil.exeMD5
3efe8bf4690a1aa786f215b875cbdc20
SHA1b413f210a1b2dc7ff07835a64aafe3e62f998edf
SHA256c67f969c38991ffb634b8b8e21fa71ea39accf1fd92bd0cc9f2bda8daae3dcc2
SHA5129dfec0495a8b7def8321fe81553822f6caa665044fa6b0ebac0ed62922644c40afd20b285d20654e01e2b965b79fa5f4cc8425d201d14ac9ce4c5007c7d059fa
-
C:\Users\Admin\AppData\Roaming\update.exeMD5
24703cff3b50738d47a104a1ff3ae134
SHA14fb3748a9d159c3d461bedf45fdcab8608689496
SHA25612d49c4521a453f6ecc3744123ce41aa2455e39806588840b553c8944dfc09df
SHA512b9e4b7d53f9b2cfb008924da1a68870cc0978e8cf1b1ddf2b275f151a14a922b0c1f362b87dc73c7ddf4b4b3253fb201154d5db2c4711ba675a95a0d6e15c25f
-
C:\Users\Admin\AppData\Roaming\update.exeMD5
24703cff3b50738d47a104a1ff3ae134
SHA14fb3748a9d159c3d461bedf45fdcab8608689496
SHA25612d49c4521a453f6ecc3744123ce41aa2455e39806588840b553c8944dfc09df
SHA512b9e4b7d53f9b2cfb008924da1a68870cc0978e8cf1b1ddf2b275f151a14a922b0c1f362b87dc73c7ddf4b4b3253fb201154d5db2c4711ba675a95a0d6e15c25f
-
C:\Users\Admin\AppData\Roaming\windows.exeMD5
ad7b94042d70d42312e57a3ee7d70f0c
SHA1e01f0557eeb93adca680972d07cb80e29acf96fb
SHA2560b3f8e6123cea09fc7849e684777cb4afdf3814e1e96ad918b4b9fd0e78598ca
SHA5120d5a6ed49df80ba1c6123315721f394ed93d07467fca0e741bcde9162bcad768b946c928ba022ec63a7771d7419d595f51204e281ff2811bb25544ee454f52bb
-
C:\Users\Admin\AppData\Roaming\windows.exeMD5
ad7b94042d70d42312e57a3ee7d70f0c
SHA1e01f0557eeb93adca680972d07cb80e29acf96fb
SHA2560b3f8e6123cea09fc7849e684777cb4afdf3814e1e96ad918b4b9fd0e78598ca
SHA5120d5a6ed49df80ba1c6123315721f394ed93d07467fca0e741bcde9162bcad768b946c928ba022ec63a7771d7419d595f51204e281ff2811bb25544ee454f52bb
-
C:\Users\Admin\AppData\Roaming\zwindows.exeMD5
5f780ef995f3e352dc9d38c54b220948
SHA194219069ca5be9a6560e2b45f66bec96f61d421b
SHA256062095c7f4fe2b80de006e149ccb02315abcbb626d00a76cb2713706c7e2dee4
SHA512b7b20118a757dbe49e410aa76009ec54f87b9d9adaefe38389994924b3986b0fcede2bc1c78024384218a06db92afc97ad0b5f9bb2b1d4bbb42ba583875178d7
-
C:\Users\Admin\AppData\Roaming\zwindows.exeMD5
5f780ef995f3e352dc9d38c54b220948
SHA194219069ca5be9a6560e2b45f66bec96f61d421b
SHA256062095c7f4fe2b80de006e149ccb02315abcbb626d00a76cb2713706c7e2dee4
SHA512b7b20118a757dbe49e410aa76009ec54f87b9d9adaefe38389994924b3986b0fcede2bc1c78024384218a06db92afc97ad0b5f9bb2b1d4bbb42ba583875178d7
-
\Users\Admin\AppData\Roaming\9999.exeMD5
ebb19834df87672faa601f9ba028ce93
SHA188dd3c1315142463c822e8282b12486f7798dab8
SHA2562c218163bfb3d1d40ac321918d6dda8a4270954799fd37cdddd987ad209e72f7
SHA512faec54d5fc59324be5f82f067ef1695a36ff72bf1a9dee8c5449cceb05725adcee045a76a3a6fd7a902dc9b2c39fcc8ba3775342ddc63d74fd179db4a5c8c8b4
-
\Users\Admin\AppData\Roaming\revil.exeMD5
3efe8bf4690a1aa786f215b875cbdc20
SHA1b413f210a1b2dc7ff07835a64aafe3e62f998edf
SHA256c67f969c38991ffb634b8b8e21fa71ea39accf1fd92bd0cc9f2bda8daae3dcc2
SHA5129dfec0495a8b7def8321fe81553822f6caa665044fa6b0ebac0ed62922644c40afd20b285d20654e01e2b965b79fa5f4cc8425d201d14ac9ce4c5007c7d059fa
-
\Users\Admin\AppData\Roaming\update.exeMD5
24703cff3b50738d47a104a1ff3ae134
SHA14fb3748a9d159c3d461bedf45fdcab8608689496
SHA25612d49c4521a453f6ecc3744123ce41aa2455e39806588840b553c8944dfc09df
SHA512b9e4b7d53f9b2cfb008924da1a68870cc0978e8cf1b1ddf2b275f151a14a922b0c1f362b87dc73c7ddf4b4b3253fb201154d5db2c4711ba675a95a0d6e15c25f
-
\Users\Admin\AppData\Roaming\windows.exeMD5
ad7b94042d70d42312e57a3ee7d70f0c
SHA1e01f0557eeb93adca680972d07cb80e29acf96fb
SHA2560b3f8e6123cea09fc7849e684777cb4afdf3814e1e96ad918b4b9fd0e78598ca
SHA5120d5a6ed49df80ba1c6123315721f394ed93d07467fca0e741bcde9162bcad768b946c928ba022ec63a7771d7419d595f51204e281ff2811bb25544ee454f52bb
-
\Users\Admin\AppData\Roaming\zwindows.exeMD5
5f780ef995f3e352dc9d38c54b220948
SHA194219069ca5be9a6560e2b45f66bec96f61d421b
SHA256062095c7f4fe2b80de006e149ccb02315abcbb626d00a76cb2713706c7e2dee4
SHA512b7b20118a757dbe49e410aa76009ec54f87b9d9adaefe38389994924b3986b0fcede2bc1c78024384218a06db92afc97ad0b5f9bb2b1d4bbb42ba583875178d7
-
memory/460-61-0x0000000000F00000-0x0000000000F08000-memory.dmpFilesize
32KB
-
memory/460-80-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/460-68-0x0000000000E90000-0x0000000000E91000-memory.dmpFilesize
4KB
-
memory/1120-69-0x0000000004A60000-0x0000000004A61000-memory.dmpFilesize
4KB
-
memory/1120-65-0x0000000000350000-0x0000000000358000-memory.dmpFilesize
32KB
-
memory/1196-73-0x0000000000F60000-0x0000000000F68000-memory.dmpFilesize
32KB
-
memory/1196-75-0x0000000000E40000-0x0000000000E41000-memory.dmpFilesize
4KB
-
memory/1372-89-0x00000000000E0000-0x00000000000E8000-memory.dmpFilesize
32KB
-
memory/1372-92-0x0000000001E40000-0x0000000001E41000-memory.dmpFilesize
4KB
-
memory/1724-55-0x0000000000C40000-0x0000000000C58000-memory.dmpFilesize
96KB
-
memory/1724-57-0x00000000021C0000-0x00000000042D0000-memory.dmpFilesize
33.1MB
-
memory/1724-56-0x0000000075B11000-0x0000000075B13000-memory.dmpFilesize
8KB
-
memory/1936-82-0x0000000000210000-0x000000000021E000-memory.dmpFilesize
56KB
-
memory/1936-83-0x0000000000230000-0x000000000023A000-memory.dmpFilesize
40KB
-
memory/1936-84-0x0000000000EE0000-0x0000000000EE1000-memory.dmpFilesize
4KB
-
memory/1936-79-0x0000000001160000-0x0000000001174000-memory.dmpFilesize
80KB