Analysis
-
max time kernel
154s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
24-02-2022 08:36
Static task
static1
Behavioral task
behavioral1
Sample
1dfb8f4b408ad8a763e4655e90c07093.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
1dfb8f4b408ad8a763e4655e90c07093.exe
Resource
win10v2004-en-20220112
General
-
Target
1dfb8f4b408ad8a763e4655e90c07093.exe
-
Size
668KB
-
MD5
1dfb8f4b408ad8a763e4655e90c07093
-
SHA1
be332a245adcd81707dd3de6b60653e2f68a0256
-
SHA256
a7999bf95618f2e2c37c5d0e805f8ff4fa44d2254e0ee0175df630f386a0c979
-
SHA512
a7af9a29cc5942ca67473f0f25f919bd22b6510b8f9738121dbac2f248dcfdbadc086097c120e00bba3df1fd08f7881d54fa3ec0a3775a0ab01219aa5991f9df
Malware Config
Extracted
asyncrat
0.5.7B
1
212.193.30.54:8755
gyQ12!.,=FD7trew
-
anti_vm
false
-
bsod
false
-
delay
3
-
install
false
-
install_folder
%AppData%
-
pastebin_config
null
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2796-134-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1dfb8f4b408ad8a763e4655e90c07093.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 1dfb8f4b408ad8a763e4655e90c07093.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1dfb8f4b408ad8a763e4655e90c07093.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xhdgkfv = "\"C:\\Users\\Admin\\AppData\\Roaming\\Wdnzjeuy\\Xhdgkfv.exe\"" 1dfb8f4b408ad8a763e4655e90c07093.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1dfb8f4b408ad8a763e4655e90c07093.exedescription pid process target process PID 1636 set thread context of 2796 1636 1dfb8f4b408ad8a763e4655e90c07093.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3264 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
1dfb8f4b408ad8a763e4655e90c07093.exepid process 1636 1dfb8f4b408ad8a763e4655e90c07093.exe 1636 1dfb8f4b408ad8a763e4655e90c07093.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1dfb8f4b408ad8a763e4655e90c07093.exedescription pid process Token: SeDebugPrivilege 1636 1dfb8f4b408ad8a763e4655e90c07093.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
1dfb8f4b408ad8a763e4655e90c07093.execmd.exedescription pid process target process PID 1636 wrote to memory of 444 1636 1dfb8f4b408ad8a763e4655e90c07093.exe cmd.exe PID 1636 wrote to memory of 444 1636 1dfb8f4b408ad8a763e4655e90c07093.exe cmd.exe PID 1636 wrote to memory of 444 1636 1dfb8f4b408ad8a763e4655e90c07093.exe cmd.exe PID 444 wrote to memory of 3264 444 cmd.exe timeout.exe PID 444 wrote to memory of 3264 444 cmd.exe timeout.exe PID 444 wrote to memory of 3264 444 cmd.exe timeout.exe PID 1636 wrote to memory of 2796 1636 1dfb8f4b408ad8a763e4655e90c07093.exe MSBuild.exe PID 1636 wrote to memory of 2796 1636 1dfb8f4b408ad8a763e4655e90c07093.exe MSBuild.exe PID 1636 wrote to memory of 2796 1636 1dfb8f4b408ad8a763e4655e90c07093.exe MSBuild.exe PID 1636 wrote to memory of 2796 1636 1dfb8f4b408ad8a763e4655e90c07093.exe MSBuild.exe PID 1636 wrote to memory of 2796 1636 1dfb8f4b408ad8a763e4655e90c07093.exe MSBuild.exe PID 1636 wrote to memory of 2796 1636 1dfb8f4b408ad8a763e4655e90c07093.exe MSBuild.exe PID 1636 wrote to memory of 2796 1636 1dfb8f4b408ad8a763e4655e90c07093.exe MSBuild.exe PID 1636 wrote to memory of 2796 1636 1dfb8f4b408ad8a763e4655e90c07093.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1dfb8f4b408ad8a763e4655e90c07093.exe"C:\Users\Admin\AppData\Local\Temp\1dfb8f4b408ad8a763e4655e90c07093.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 202⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 203⤵
- Delays execution with timeout.exe
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1636-130-0x000000007454E000-0x000000007454F000-memory.dmpFilesize
4KB
-
memory/1636-131-0x0000000000D00000-0x0000000000DAE000-memory.dmpFilesize
696KB
-
memory/1636-132-0x0000000005730000-0x0000000005731000-memory.dmpFilesize
4KB
-
memory/1636-133-0x0000000001620000-0x00000000016B2000-memory.dmpFilesize
584KB
-
memory/2796-134-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2796-135-0x000000007454E000-0x000000007454F000-memory.dmpFilesize
4KB
-
memory/2796-136-0x0000000004D70000-0x0000000004D71000-memory.dmpFilesize
4KB