Analysis
-
max time kernel
149s -
max time network
117s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01-02-2022 05:16
Behavioral task
behavioral1
Sample
87346c61f33de8032a07485854ff530fc91d48770ab3f6c660c78f20575686b3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
87346c61f33de8032a07485854ff530fc91d48770ab3f6c660c78f20575686b3.exe
Resource
win10v2004-en-20220112
General
-
Target
87346c61f33de8032a07485854ff530fc91d48770ab3f6c660c78f20575686b3.exe
-
Size
46KB
-
MD5
6aeffcb0f2c4703a35309f019e001822
-
SHA1
2b3237ca7a252a96997263575fbb96e9d2f24320
-
SHA256
87346c61f33de8032a07485854ff530fc91d48770ab3f6c660c78f20575686b3
-
SHA512
87af7919630a99b17839f14d558e091985ecc3e67597cd8445e0ab1ae06bf3205d4e148958f6d298f41defbab9139f17868a580aecd6bd1b9061aae8d17d7d3d
Malware Config
Signatures
-
Async RAT payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/760-53-0x0000000000030000-0x0000000000042000-memory.dmp asyncrat C:\Users\Admin\AppData\Local\Temp\Update.exe asyncrat C:\Users\Admin\AppData\Local\Temp\Update.exe asyncrat behavioral1/memory/1384-58-0x0000000001060000-0x0000000001072000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
Processes:
Update.exepid process 1384 Update.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1272 timeout.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
87346c61f33de8032a07485854ff530fc91d48770ab3f6c660c78f20575686b3.exeUpdate.exepid process 760 87346c61f33de8032a07485854ff530fc91d48770ab3f6c660c78f20575686b3.exe 760 87346c61f33de8032a07485854ff530fc91d48770ab3f6c660c78f20575686b3.exe 1384 Update.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
87346c61f33de8032a07485854ff530fc91d48770ab3f6c660c78f20575686b3.exeUpdate.exedescription pid process Token: SeDebugPrivilege 760 87346c61f33de8032a07485854ff530fc91d48770ab3f6c660c78f20575686b3.exe Token: SeDebugPrivilege 1384 Update.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
87346c61f33de8032a07485854ff530fc91d48770ab3f6c660c78f20575686b3.execmd.exedescription pid process target process PID 760 wrote to memory of 584 760 87346c61f33de8032a07485854ff530fc91d48770ab3f6c660c78f20575686b3.exe schtasks.exe PID 760 wrote to memory of 584 760 87346c61f33de8032a07485854ff530fc91d48770ab3f6c660c78f20575686b3.exe schtasks.exe PID 760 wrote to memory of 584 760 87346c61f33de8032a07485854ff530fc91d48770ab3f6c660c78f20575686b3.exe schtasks.exe PID 760 wrote to memory of 860 760 87346c61f33de8032a07485854ff530fc91d48770ab3f6c660c78f20575686b3.exe cmd.exe PID 760 wrote to memory of 860 760 87346c61f33de8032a07485854ff530fc91d48770ab3f6c660c78f20575686b3.exe cmd.exe PID 760 wrote to memory of 860 760 87346c61f33de8032a07485854ff530fc91d48770ab3f6c660c78f20575686b3.exe cmd.exe PID 860 wrote to memory of 1272 860 cmd.exe timeout.exe PID 860 wrote to memory of 1272 860 cmd.exe timeout.exe PID 860 wrote to memory of 1272 860 cmd.exe timeout.exe PID 860 wrote to memory of 1384 860 cmd.exe Update.exe PID 860 wrote to memory of 1384 860 cmd.exe Update.exe PID 860 wrote to memory of 1384 860 cmd.exe Update.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\87346c61f33de8032a07485854ff530fc91d48770ab3f6c660c78f20575686b3.exe"C:\Users\Admin\AppData\Local\Temp\87346c61f33de8032a07485854ff530fc91d48770ab3f6c660c78f20575686b3.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'Update"' /tr "'C:\Users\Admin\AppData\Local\Temp\Update.exe"'2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1C09.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\Update.exe"C:\Users\Admin\AppData\Local\Temp\Update.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Update.exeMD5
31a492018601fce66d9eb89deb6c4d27
SHA102faadb47c0d5cd883a9eb3460679fdded1bb508
SHA25679b6bb9887372b42aef92a30c02adc4c7042d88c71eb812a3f37c9e93b9fc567
SHA51275652417228ab2f063b49551b57f8559453f57faeb628e826b584f8a0c3ec93912744698d261fbfaaf34595d26f01a52f55e441895f2c119bf0d2c1c473d3456
-
C:\Users\Admin\AppData\Local\Temp\Update.exeMD5
31a492018601fce66d9eb89deb6c4d27
SHA102faadb47c0d5cd883a9eb3460679fdded1bb508
SHA25679b6bb9887372b42aef92a30c02adc4c7042d88c71eb812a3f37c9e93b9fc567
SHA51275652417228ab2f063b49551b57f8559453f57faeb628e826b584f8a0c3ec93912744698d261fbfaaf34595d26f01a52f55e441895f2c119bf0d2c1c473d3456
-
C:\Users\Admin\AppData\Local\Temp\tmp1C09.tmp.batMD5
d3acc6668114446ea36bc284e4f72de0
SHA19e43023231d0c483d206f9fe146d4f934181377a
SHA25663aa18bd8ad3d2008ee5fd9296cf82a38388de0519f1d63b6d1511df9e27283e
SHA5128db3b2f2eb02b3da573329db0f91f5a3a2911251f1087934c5ae58d8607bd6dc7b8b9a4c8a6c00a8a35bdf662a02473dabb7e503314b59003399016ba5dd51ef
-
memory/760-53-0x0000000000030000-0x0000000000042000-memory.dmpFilesize
72KB
-
memory/760-54-0x000000001B0A0000-0x000000001B0A2000-memory.dmpFilesize
8KB
-
memory/1384-58-0x0000000001060000-0x0000000001072000-memory.dmpFilesize
72KB
-
memory/1384-59-0x000000001B280000-0x000000001B282000-memory.dmpFilesize
8KB