Analysis
-
max time kernel
134s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
24-02-2022 18:17
Static task
static1
Behavioral task
behavioral1
Sample
ddb0822b3ff456aa4d91bf7356b01193a63b0e333d1a4c281e7b7c18733b8fd8.exe
Resource
win10v2004-en-20220113
General
-
Target
ddb0822b3ff456aa4d91bf7356b01193a63b0e333d1a4c281e7b7c18733b8fd8.exe
-
Size
671KB
-
MD5
db73de377b65213640e910db6f18f33f
-
SHA1
b5d30bcb05b536b7736be7c49502a39c24281f82
-
SHA256
ddb0822b3ff456aa4d91bf7356b01193a63b0e333d1a4c281e7b7c18733b8fd8
-
SHA512
51a6535256262071ea520cceba1c84c395b23cb630b5c97f881205c6bec34bd4b3e06ff2ec3d80932d3194b22f63fc84b08e22adaa7f6639661e7643a9950c05
Malware Config
Extracted
asyncrat
0.5.7B
1
212.193.30.54:8755
gyQ12!.,=FD7trew
-
anti_vm
false
-
bsod
false
-
delay
3
-
install
false
-
install_folder
%AppData%
-
pastebin_config
null
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3588-134-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ddb0822b3ff456aa4d91bf7356b01193a63b0e333d1a4c281e7b7c18733b8fd8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation ddb0822b3ff456aa4d91bf7356b01193a63b0e333d1a4c281e7b7c18733b8fd8.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ddb0822b3ff456aa4d91bf7356b01193a63b0e333d1a4c281e7b7c18733b8fd8.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xczxwi = "\"C:\\Users\\Admin\\AppData\\Roaming\\Xhaslxdcw\\Xczxwi.exe\"" ddb0822b3ff456aa4d91bf7356b01193a63b0e333d1a4c281e7b7c18733b8fd8.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ddb0822b3ff456aa4d91bf7356b01193a63b0e333d1a4c281e7b7c18733b8fd8.exedescription pid process target process PID 2248 set thread context of 3588 2248 ddb0822b3ff456aa4d91bf7356b01193a63b0e333d1a4c281e7b7c18733b8fd8.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1568 timeout.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
ddb0822b3ff456aa4d91bf7356b01193a63b0e333d1a4c281e7b7c18733b8fd8.exepid process 2248 ddb0822b3ff456aa4d91bf7356b01193a63b0e333d1a4c281e7b7c18733b8fd8.exe 2248 ddb0822b3ff456aa4d91bf7356b01193a63b0e333d1a4c281e7b7c18733b8fd8.exe 2248 ddb0822b3ff456aa4d91bf7356b01193a63b0e333d1a4c281e7b7c18733b8fd8.exe 2248 ddb0822b3ff456aa4d91bf7356b01193a63b0e333d1a4c281e7b7c18733b8fd8.exe 2248 ddb0822b3ff456aa4d91bf7356b01193a63b0e333d1a4c281e7b7c18733b8fd8.exe 2248 ddb0822b3ff456aa4d91bf7356b01193a63b0e333d1a4c281e7b7c18733b8fd8.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ddb0822b3ff456aa4d91bf7356b01193a63b0e333d1a4c281e7b7c18733b8fd8.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 2248 ddb0822b3ff456aa4d91bf7356b01193a63b0e333d1a4c281e7b7c18733b8fd8.exe Token: SeDebugPrivilege 3588 MSBuild.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
ddb0822b3ff456aa4d91bf7356b01193a63b0e333d1a4c281e7b7c18733b8fd8.execmd.exedescription pid process target process PID 2248 wrote to memory of 3656 2248 ddb0822b3ff456aa4d91bf7356b01193a63b0e333d1a4c281e7b7c18733b8fd8.exe cmd.exe PID 2248 wrote to memory of 3656 2248 ddb0822b3ff456aa4d91bf7356b01193a63b0e333d1a4c281e7b7c18733b8fd8.exe cmd.exe PID 2248 wrote to memory of 3656 2248 ddb0822b3ff456aa4d91bf7356b01193a63b0e333d1a4c281e7b7c18733b8fd8.exe cmd.exe PID 3656 wrote to memory of 1568 3656 cmd.exe timeout.exe PID 3656 wrote to memory of 1568 3656 cmd.exe timeout.exe PID 3656 wrote to memory of 1568 3656 cmd.exe timeout.exe PID 2248 wrote to memory of 2156 2248 ddb0822b3ff456aa4d91bf7356b01193a63b0e333d1a4c281e7b7c18733b8fd8.exe MSBuild.exe PID 2248 wrote to memory of 2156 2248 ddb0822b3ff456aa4d91bf7356b01193a63b0e333d1a4c281e7b7c18733b8fd8.exe MSBuild.exe PID 2248 wrote to memory of 2156 2248 ddb0822b3ff456aa4d91bf7356b01193a63b0e333d1a4c281e7b7c18733b8fd8.exe MSBuild.exe PID 2248 wrote to memory of 3588 2248 ddb0822b3ff456aa4d91bf7356b01193a63b0e333d1a4c281e7b7c18733b8fd8.exe MSBuild.exe PID 2248 wrote to memory of 3588 2248 ddb0822b3ff456aa4d91bf7356b01193a63b0e333d1a4c281e7b7c18733b8fd8.exe MSBuild.exe PID 2248 wrote to memory of 3588 2248 ddb0822b3ff456aa4d91bf7356b01193a63b0e333d1a4c281e7b7c18733b8fd8.exe MSBuild.exe PID 2248 wrote to memory of 3588 2248 ddb0822b3ff456aa4d91bf7356b01193a63b0e333d1a4c281e7b7c18733b8fd8.exe MSBuild.exe PID 2248 wrote to memory of 3588 2248 ddb0822b3ff456aa4d91bf7356b01193a63b0e333d1a4c281e7b7c18733b8fd8.exe MSBuild.exe PID 2248 wrote to memory of 3588 2248 ddb0822b3ff456aa4d91bf7356b01193a63b0e333d1a4c281e7b7c18733b8fd8.exe MSBuild.exe PID 2248 wrote to memory of 3588 2248 ddb0822b3ff456aa4d91bf7356b01193a63b0e333d1a4c281e7b7c18733b8fd8.exe MSBuild.exe PID 2248 wrote to memory of 3588 2248 ddb0822b3ff456aa4d91bf7356b01193a63b0e333d1a4c281e7b7c18733b8fd8.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ddb0822b3ff456aa4d91bf7356b01193a63b0e333d1a4c281e7b7c18733b8fd8.exe"C:\Users\Admin\AppData\Local\Temp\ddb0822b3ff456aa4d91bf7356b01193a63b0e333d1a4c281e7b7c18733b8fd8.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 202⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 203⤵
- Delays execution with timeout.exe
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2248-130-0x0000000074F6E000-0x0000000074F6F000-memory.dmpFilesize
4KB
-
memory/2248-131-0x0000000000B70000-0x0000000000C1E000-memory.dmpFilesize
696KB
-
memory/2248-132-0x00000000060A0000-0x00000000060A1000-memory.dmpFilesize
4KB
-
memory/2248-133-0x0000000005E70000-0x0000000005F02000-memory.dmpFilesize
584KB
-
memory/3588-134-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3588-135-0x0000000074F6E000-0x0000000074F6F000-memory.dmpFilesize
4KB
-
memory/3588-136-0x00000000054C0000-0x00000000054C1000-memory.dmpFilesize
4KB
-
memory/3588-137-0x00000000057B0000-0x000000000584C000-memory.dmpFilesize
624KB
-
memory/3588-138-0x0000000005E00000-0x00000000063A4000-memory.dmpFilesize
5.6MB
-
memory/3588-139-0x0000000005850000-0x00000000058B6000-memory.dmpFilesize
408KB