Analysis
-
max time kernel
150s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220331-en -
submitted
30-03-2022 02:08
Static task
static1
Behavioral task
behavioral1
Sample
813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe
Resource
win7-20220331-en
General
-
Target
813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe
-
Size
218KB
-
MD5
b84e980a2ddc7fe338f990caeb01a132
-
SHA1
e84a77f956e9cc4d9bee3063ca7ad2d2bd0f859a
-
SHA256
813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4
-
SHA512
7d80551fff887bee3d6af0e3990bb916a0eb58ed1f6a5c1b2f3b8723429a0d06b8019078e9f3948a3d3ab7bef5accfc440958c896da6eb28ddf4b174a4570274
Malware Config
Signatures
-
Async RAT payload 4 IoCs
resource yara_rule behavioral1/files/0x0007000000012737-58.dat asyncrat behavioral1/files/0x0007000000012737-61.dat asyncrat behavioral1/files/0x0007000000012737-60.dat asyncrat behavioral1/memory/904-62-0x0000000000290000-0x00000000002BC000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
pid Process 904 tmp.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Registry Updater.exe.lnk 813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe -
Loads dropped DLL 1 IoCs
pid Process 1304 813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1304 813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe 1304 813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe 904 tmp.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1304 813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1304 813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe Token: 33 1304 813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe Token: SeIncBasePriorityPrivilege 1304 813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe Token: SeDebugPrivilege 904 tmp.exe Token: SeDebugPrivilege 904 tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1304 wrote to memory of 1476 1304 813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe 28 PID 1304 wrote to memory of 1476 1304 813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe 28 PID 1304 wrote to memory of 1476 1304 813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe 28 PID 1304 wrote to memory of 1476 1304 813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe 28 PID 1304 wrote to memory of 1716 1304 813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe 30 PID 1304 wrote to memory of 1716 1304 813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe 30 PID 1304 wrote to memory of 1716 1304 813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe 30 PID 1304 wrote to memory of 1716 1304 813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe 30 PID 1304 wrote to memory of 904 1304 813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe 32 PID 1304 wrote to memory of 904 1304 813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe 32 PID 1304 wrote to memory of 904 1304 813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe 32 PID 1304 wrote to memory of 904 1304 813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe"C:\Users\Admin\AppData\Local\Temp\813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %appdata%\Windows Registry Updater\Windows Registry Updater.exe:Zone.Identifier2⤵PID:1476
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ren "%appdata%\Windows Registry Updater\Windows Registry Updater.exe.jpg" Windows Registry Updater.exe2⤵PID:1716
-
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:904
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
146KB
MD5b62d18051855ba3768ed2228a9daa267
SHA11d7b42775a0eac738f7bc94ec110de8ff7d081ba
SHA25660dc56fe6f65414b3f1f6831a4ba86990328bcc4097155d85632a2a2ff25eb94
SHA51200c427c21e5294875e62a1aaaf5dfb4fd55846ce070a3b87ae0fa0defa07256b6649536b4f80c32b4e8e495bb18e91741a9f1aad27b7fbd7f0856c1a0bcc1a52
-
Filesize
146KB
MD5b62d18051855ba3768ed2228a9daa267
SHA11d7b42775a0eac738f7bc94ec110de8ff7d081ba
SHA25660dc56fe6f65414b3f1f6831a4ba86990328bcc4097155d85632a2a2ff25eb94
SHA51200c427c21e5294875e62a1aaaf5dfb4fd55846ce070a3b87ae0fa0defa07256b6649536b4f80c32b4e8e495bb18e91741a9f1aad27b7fbd7f0856c1a0bcc1a52
-
Filesize
146KB
MD5b62d18051855ba3768ed2228a9daa267
SHA11d7b42775a0eac738f7bc94ec110de8ff7d081ba
SHA25660dc56fe6f65414b3f1f6831a4ba86990328bcc4097155d85632a2a2ff25eb94
SHA51200c427c21e5294875e62a1aaaf5dfb4fd55846ce070a3b87ae0fa0defa07256b6649536b4f80c32b4e8e495bb18e91741a9f1aad27b7fbd7f0856c1a0bcc1a52