Analysis
-
max time kernel
149s -
max time network
163s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-04-2022 13:53
Static task
static1
Behavioral task
behavioral1
Sample
e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe
Resource
win10v2004-20220414-en
General
-
Target
e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe
-
Size
3.7MB
-
MD5
50f94e792afda30fe1c485c2d733ddae
-
SHA1
5acb6535b97021f32220fb4ec2c68bb3019ec55b
-
SHA256
e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302
-
SHA512
2f5cdd6c589289e1e35cc50fc449c6419a81f724e65770d9bb2aca5f42472476a06de522e7a9f29d6e6dd52ff49fac355a058f9971ef3ee4b3c274ebd4de8834
Malware Config
Extracted
asyncrat
0.5.6B
2
76.223.249.60:6606
76.223.249.60:7707
76.223.249.60:8808
fscdeuqvqetgvzu
-
delay
0
-
install
false
-
install_file
support.exe
-
install_folder
%AppData%
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\bAPSHbkkGXm778Nx\\fx3X8B2PSj7C.exe\",explorer.exe" e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe -
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/800-60-0x0000000000B60000-0x0000000000B72000-memory.dmp asyncrat -
Executes dropped EXE 3 IoCs
Processes:
VNYkuIlvKGBtGeDc.exeVNYkuIlvKGBtGeDc.exeVNYkuIlvKGBtGeDc.exepid process 2040 VNYkuIlvKGBtGeDc.exe 1152 VNYkuIlvKGBtGeDc.exe 824 VNYkuIlvKGBtGeDc.exe -
Loads dropped DLL 3 IoCs
Processes:
e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exeVNYkuIlvKGBtGeDc.exepid process 800 e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe 2040 VNYkuIlvKGBtGeDc.exe 2040 VNYkuIlvKGBtGeDc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
VNYkuIlvKGBtGeDc.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 VNYkuIlvKGBtGeDc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString VNYkuIlvKGBtGeDc.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
VNYkuIlvKGBtGeDc.exepid process 1152 VNYkuIlvKGBtGeDc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exedescription pid process Token: SeDebugPrivilege 800 e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
VNYkuIlvKGBtGeDc.exepid process 824 VNYkuIlvKGBtGeDc.exe 824 VNYkuIlvKGBtGeDc.exe 824 VNYkuIlvKGBtGeDc.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
VNYkuIlvKGBtGeDc.exepid process 824 VNYkuIlvKGBtGeDc.exe 824 VNYkuIlvKGBtGeDc.exe 824 VNYkuIlvKGBtGeDc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exeVNYkuIlvKGBtGeDc.exedescription pid process target process PID 800 wrote to memory of 2040 800 e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe VNYkuIlvKGBtGeDc.exe PID 800 wrote to memory of 2040 800 e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe VNYkuIlvKGBtGeDc.exe PID 800 wrote to memory of 2040 800 e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe VNYkuIlvKGBtGeDc.exe PID 800 wrote to memory of 2040 800 e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe VNYkuIlvKGBtGeDc.exe PID 2040 wrote to memory of 1152 2040 VNYkuIlvKGBtGeDc.exe VNYkuIlvKGBtGeDc.exe PID 2040 wrote to memory of 1152 2040 VNYkuIlvKGBtGeDc.exe VNYkuIlvKGBtGeDc.exe PID 2040 wrote to memory of 1152 2040 VNYkuIlvKGBtGeDc.exe VNYkuIlvKGBtGeDc.exe PID 2040 wrote to memory of 1152 2040 VNYkuIlvKGBtGeDc.exe VNYkuIlvKGBtGeDc.exe PID 2040 wrote to memory of 824 2040 VNYkuIlvKGBtGeDc.exe VNYkuIlvKGBtGeDc.exe PID 2040 wrote to memory of 824 2040 VNYkuIlvKGBtGeDc.exe VNYkuIlvKGBtGeDc.exe PID 2040 wrote to memory of 824 2040 VNYkuIlvKGBtGeDc.exe VNYkuIlvKGBtGeDc.exe PID 2040 wrote to memory of 824 2040 VNYkuIlvKGBtGeDc.exe VNYkuIlvKGBtGeDc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe"C:\Users\Admin\AppData\Local\Temp\e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VNYkuIlvKGBtGeDc.exe"C:\Users\Admin\AppData\Local\Temp\VNYkuIlvKGBtGeDc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VNYkuIlvKGBtGeDc.exe"C:\Users\Admin\AppData\Local\Temp\VNYkuIlvKGBtGeDc.exe" --local-control3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\VNYkuIlvKGBtGeDc.exe"C:\Users\Admin\AppData\Local\Temp\VNYkuIlvKGBtGeDc.exe" --local-service3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\VNYkuIlvKGBtGeDc.exeFilesize
3.5MB
MD5e9fb13875b744fa633d1a7a34b0f6a52
SHA1f0966985745541ba01800aa213509a89a7fdf716
SHA256fb8fb89b5f56ce2acd9668021a470a18b7898808750800861151e908d5b1a20e
SHA512c2feda22e23fda47f0b0ede38f5f432a656a5e7598c7a9d3d4e8babf9ff94189b69f4f4a3894c094260c3b72d21888720f60ed7ee2c018c8aced9d754e03e292
-
C:\Users\Admin\AppData\Local\Temp\VNYkuIlvKGBtGeDc.exeFilesize
3.5MB
MD5e9fb13875b744fa633d1a7a34b0f6a52
SHA1f0966985745541ba01800aa213509a89a7fdf716
SHA256fb8fb89b5f56ce2acd9668021a470a18b7898808750800861151e908d5b1a20e
SHA512c2feda22e23fda47f0b0ede38f5f432a656a5e7598c7a9d3d4e8babf9ff94189b69f4f4a3894c094260c3b72d21888720f60ed7ee2c018c8aced9d754e03e292
-
C:\Users\Admin\AppData\Local\Temp\VNYkuIlvKGBtGeDc.exeFilesize
3.5MB
MD5e9fb13875b744fa633d1a7a34b0f6a52
SHA1f0966985745541ba01800aa213509a89a7fdf716
SHA256fb8fb89b5f56ce2acd9668021a470a18b7898808750800861151e908d5b1a20e
SHA512c2feda22e23fda47f0b0ede38f5f432a656a5e7598c7a9d3d4e8babf9ff94189b69f4f4a3894c094260c3b72d21888720f60ed7ee2c018c8aced9d754e03e292
-
C:\Users\Admin\AppData\Local\Temp\VNYkuIlvKGBtGeDc.exeFilesize
3.5MB
MD5e9fb13875b744fa633d1a7a34b0f6a52
SHA1f0966985745541ba01800aa213509a89a7fdf716
SHA256fb8fb89b5f56ce2acd9668021a470a18b7898808750800861151e908d5b1a20e
SHA512c2feda22e23fda47f0b0ede38f5f432a656a5e7598c7a9d3d4e8babf9ff94189b69f4f4a3894c094260c3b72d21888720f60ed7ee2c018c8aced9d754e03e292
-
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.traceFilesize
6KB
MD5840cb8f482af6899d2dd1f47a30daced
SHA1ae257b1f711ddaed65767c8104119b87b82f70ba
SHA256344ee98353b41126066a38b77336c3bc90f5ac3c0d29d5e7fb24d74cbc24de7d
SHA5129495f9b9c9116eee5fd8476dd9db9fec819acc5fbbc7f9660d6185b5e6d2a345ee53c2ca07fa69a2457fc2e639974c103e8c7f72d9b28c20f1edab2d2403db21
-
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.traceFilesize
6KB
MD5840cb8f482af6899d2dd1f47a30daced
SHA1ae257b1f711ddaed65767c8104119b87b82f70ba
SHA256344ee98353b41126066a38b77336c3bc90f5ac3c0d29d5e7fb24d74cbc24de7d
SHA5129495f9b9c9116eee5fd8476dd9db9fec819acc5fbbc7f9660d6185b5e6d2a345ee53c2ca07fa69a2457fc2e639974c103e8c7f72d9b28c20f1edab2d2403db21
-
C:\Users\Admin\AppData\Roaming\AnyDesk\service.confFilesize
2KB
MD5bb03b879b75cc71581e0c9713549cb98
SHA1bb944264d6d960a8ac1fe02fc2b4c8bc76a87dd5
SHA25670651079d983cabb773b3ce82182bc9e5e9ce7705470be0ef78c258e4467d746
SHA512b685579a1bcf7911b35f087fe11635a30b9f5ea9d7fcdd065ccfeac8be2f9430a38c47df74a0d752b80278c9bd7ea402bdf4d7d76f59658ae9aeb7a35f511cb7
-
C:\Users\Admin\AppData\Roaming\AnyDesk\system.confFilesize
105B
MD5b786276566641bcfc2dfd92890b4b99d
SHA19565e49c7c739a8bce54cd21818b51dc338512da
SHA256a4da3c92f70d2d36878c8ea6cbde741373302046351477d745dcc29385c37520
SHA5129e084c6eb838855b51cd686968c6f847ac53855fa32a861e2c49570bd11bae6239185b26ed33d1ba7e81679f0e79294847302115f646a208370356c5d11d761a
-
C:\Users\Admin\AppData\Roaming\AnyDesk\system.confFilesize
113B
MD5dd5ffa613237c96ea57da3c4e8281651
SHA1b140b7bc9c0488858afd3935f628af84becce6f9
SHA2565fce67844173db1b947617f14df4198b4593f8a68dbe540ecf645ea405ca33de
SHA5123496c5c4221763ffb72bccb8a977aa778f314b9ed3bebd9b5a7efd6fc1410b436a12cc25e4df66d5c2f63d6715264c9343ac33485071c88d493c14bbf7c25cce
-
C:\Users\Admin\AppData\Roaming\AnyDesk\user.confFilesize
205B
MD559352c2b0c590c5fd96365d3168d723b
SHA153ab571639cc3e3a38032c1095985f7f4278d8fc
SHA256079db0d18cb8ca55e8653f3d67608c5e445d32e368feb874ed3fa1d797c7c286
SHA5122d21bcd26ef934095ca5b37aa1e66091547870f5e09c2d203dfd75923d2575f93f1a42f31e4fb7b2423b766984464ed65b048f49519837918de246a892c82828
-
\Users\Admin\AppData\Local\Temp\VNYkuIlvKGBtGeDc.exeFilesize
3.5MB
MD5e9fb13875b744fa633d1a7a34b0f6a52
SHA1f0966985745541ba01800aa213509a89a7fdf716
SHA256fb8fb89b5f56ce2acd9668021a470a18b7898808750800861151e908d5b1a20e
SHA512c2feda22e23fda47f0b0ede38f5f432a656a5e7598c7a9d3d4e8babf9ff94189b69f4f4a3894c094260c3b72d21888720f60ed7ee2c018c8aced9d754e03e292
-
\Users\Admin\AppData\Local\Temp\VNYkuIlvKGBtGeDc.exeFilesize
3.5MB
MD5e9fb13875b744fa633d1a7a34b0f6a52
SHA1f0966985745541ba01800aa213509a89a7fdf716
SHA256fb8fb89b5f56ce2acd9668021a470a18b7898808750800861151e908d5b1a20e
SHA512c2feda22e23fda47f0b0ede38f5f432a656a5e7598c7a9d3d4e8babf9ff94189b69f4f4a3894c094260c3b72d21888720f60ed7ee2c018c8aced9d754e03e292
-
\Users\Admin\AppData\Local\Temp\VNYkuIlvKGBtGeDc.exeFilesize
3.5MB
MD5e9fb13875b744fa633d1a7a34b0f6a52
SHA1f0966985745541ba01800aa213509a89a7fdf716
SHA256fb8fb89b5f56ce2acd9668021a470a18b7898808750800861151e908d5b1a20e
SHA512c2feda22e23fda47f0b0ede38f5f432a656a5e7598c7a9d3d4e8babf9ff94189b69f4f4a3894c094260c3b72d21888720f60ed7ee2c018c8aced9d754e03e292
-
memory/800-60-0x0000000000B60000-0x0000000000B72000-memory.dmpFilesize
72KB
-
memory/800-54-0x0000000001320000-0x00000000016D6000-memory.dmpFilesize
3.7MB
-
memory/800-56-0x0000000016110000-0x00000000164B2000-memory.dmpFilesize
3.6MB
-
memory/800-55-0x0000000004F45000-0x0000000004F56000-memory.dmpFilesize
68KB
-
memory/824-69-0x0000000000000000-mapping.dmp
-
memory/824-76-0x0000000000900000-0x0000000001675000-memory.dmpFilesize
13.5MB
-
memory/1152-67-0x0000000000000000-mapping.dmp
-
memory/1152-73-0x0000000000900000-0x0000000001675000-memory.dmpFilesize
13.5MB
-
memory/2040-64-0x0000000000900000-0x0000000001675000-memory.dmpFilesize
13.5MB
-
memory/2040-62-0x0000000000900000-0x0000000001675000-memory.dmpFilesize
13.5MB
-
memory/2040-61-0x00000000765F1000-0x00000000765F3000-memory.dmpFilesize
8KB
-
memory/2040-58-0x0000000000000000-mapping.dmp