Analysis
-
max time kernel
79s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
24-02-2022 18:59
Static task
static1
Behavioral task
behavioral1
Sample
db73de377b65213640e910db6f18f33f.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
db73de377b65213640e910db6f18f33f.exe
Resource
win10v2004-en-20220113
General
-
Target
db73de377b65213640e910db6f18f33f.exe
-
Size
671KB
-
MD5
db73de377b65213640e910db6f18f33f
-
SHA1
b5d30bcb05b536b7736be7c49502a39c24281f82
-
SHA256
ddb0822b3ff456aa4d91bf7356b01193a63b0e333d1a4c281e7b7c18733b8fd8
-
SHA512
51a6535256262071ea520cceba1c84c395b23cb630b5c97f881205c6bec34bd4b3e06ff2ec3d80932d3194b22f63fc84b08e22adaa7f6639661e7643a9950c05
Malware Config
Extracted
asyncrat
0.5.7B
1
212.193.30.54:8755
gyQ12!.,=FD7trew
-
anti_vm
false
-
bsod
false
-
delay
3
-
install
false
-
install_folder
%AppData%
-
pastebin_config
null
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/440-134-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
db73de377b65213640e910db6f18f33f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation db73de377b65213640e910db6f18f33f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
db73de377b65213640e910db6f18f33f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xczxwi = "\"C:\\Users\\Admin\\AppData\\Roaming\\Xhaslxdcw\\Xczxwi.exe\"" db73de377b65213640e910db6f18f33f.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
db73de377b65213640e910db6f18f33f.exedescription pid process target process PID 4172 set thread context of 440 4172 db73de377b65213640e910db6f18f33f.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1480 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
db73de377b65213640e910db6f18f33f.exepid process 4172 db73de377b65213640e910db6f18f33f.exe 4172 db73de377b65213640e910db6f18f33f.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
db73de377b65213640e910db6f18f33f.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 4172 db73de377b65213640e910db6f18f33f.exe Token: SeDebugPrivilege 440 MSBuild.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
db73de377b65213640e910db6f18f33f.execmd.exedescription pid process target process PID 4172 wrote to memory of 1184 4172 db73de377b65213640e910db6f18f33f.exe cmd.exe PID 4172 wrote to memory of 1184 4172 db73de377b65213640e910db6f18f33f.exe cmd.exe PID 4172 wrote to memory of 1184 4172 db73de377b65213640e910db6f18f33f.exe cmd.exe PID 1184 wrote to memory of 1480 1184 cmd.exe timeout.exe PID 1184 wrote to memory of 1480 1184 cmd.exe timeout.exe PID 1184 wrote to memory of 1480 1184 cmd.exe timeout.exe PID 4172 wrote to memory of 440 4172 db73de377b65213640e910db6f18f33f.exe MSBuild.exe PID 4172 wrote to memory of 440 4172 db73de377b65213640e910db6f18f33f.exe MSBuild.exe PID 4172 wrote to memory of 440 4172 db73de377b65213640e910db6f18f33f.exe MSBuild.exe PID 4172 wrote to memory of 440 4172 db73de377b65213640e910db6f18f33f.exe MSBuild.exe PID 4172 wrote to memory of 440 4172 db73de377b65213640e910db6f18f33f.exe MSBuild.exe PID 4172 wrote to memory of 440 4172 db73de377b65213640e910db6f18f33f.exe MSBuild.exe PID 4172 wrote to memory of 440 4172 db73de377b65213640e910db6f18f33f.exe MSBuild.exe PID 4172 wrote to memory of 440 4172 db73de377b65213640e910db6f18f33f.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\db73de377b65213640e910db6f18f33f.exe"C:\Users\Admin\AppData\Local\Temp\db73de377b65213640e910db6f18f33f.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 202⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 203⤵
- Delays execution with timeout.exe
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/440-134-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/440-135-0x000000007441E000-0x000000007441F000-memory.dmpFilesize
4KB
-
memory/440-136-0x0000000005A30000-0x0000000005A31000-memory.dmpFilesize
4KB
-
memory/440-137-0x0000000005980000-0x0000000005A1C000-memory.dmpFilesize
624KB
-
memory/440-138-0x0000000006230000-0x00000000067D4000-memory.dmpFilesize
5.6MB
-
memory/440-139-0x0000000005C80000-0x0000000005CE6000-memory.dmpFilesize
408KB
-
memory/4172-130-0x0000000000CE0000-0x0000000000D8E000-memory.dmpFilesize
696KB
-
memory/4172-131-0x000000007441E000-0x000000007441F000-memory.dmpFilesize
4KB
-
memory/4172-132-0x00000000031E0000-0x00000000031E1000-memory.dmpFilesize
4KB
-
memory/4172-133-0x00000000060E0000-0x0000000006172000-memory.dmpFilesize
584KB