Analysis
-
max time kernel
41s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
19-05-2022 02:05
Static task
static1
Behavioral task
behavioral1
Sample
mshta.exe
Resource
win7-20220414-en
General
-
Target
mshta.exe
-
Size
304KB
-
MD5
b28ddf547716c0cdee99d4e5f261704d
-
SHA1
cef47d43a0809616fbdb980b7864b4cef8ed2943
-
SHA256
89aacd427f262a4a5b09af5c8abdeabc7f39a1d618a01a5a79074ebb62bb065e
-
SHA512
c78e8c4b9d871e3df72f7ecdad2a179225df6887adc9db63746bbbc6fd7ae1d3cfdd5dcbde039790bbc84193a9f5eb8516df716d614a88181b8253c5c188c24b
Malware Config
Extracted
asyncrat
1.0.7
mshta
mshta
-
delay
1
-
install
false
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/tefSYKAL
Signatures
-
Async RAT payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\ElWebsite.exe asyncrat \Users\Admin\AppData\Local\Temp\ElWebsite.exe asyncrat C:\Users\Admin\AppData\Local\Temp\ElWebsite.exe asyncrat behavioral1/memory/788-63-0x0000000000AB0000-0x0000000000AC2000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
Processes:
ElWebsite.exepid process 788 ElWebsite.exe -
Loads dropped DLL 1 IoCs
Processes:
mshta.exepid process 1860 mshta.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
mshta.exepid process 1860 mshta.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
mshta.exeElWebsite.exedescription pid process Token: SeDebugPrivilege 1860 mshta.exe Token: SeDebugPrivilege 788 ElWebsite.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
mshta.execmd.exedescription pid process target process PID 1860 wrote to memory of 788 1860 mshta.exe ElWebsite.exe PID 1860 wrote to memory of 788 1860 mshta.exe ElWebsite.exe PID 1860 wrote to memory of 788 1860 mshta.exe ElWebsite.exe PID 1860 wrote to memory of 788 1860 mshta.exe ElWebsite.exe PID 1860 wrote to memory of 1940 1860 mshta.exe cmd.exe PID 1860 wrote to memory of 1940 1860 mshta.exe cmd.exe PID 1860 wrote to memory of 1940 1860 mshta.exe cmd.exe PID 1860 wrote to memory of 1940 1860 mshta.exe cmd.exe PID 1940 wrote to memory of 968 1940 cmd.exe schtasks.exe PID 1940 wrote to memory of 968 1940 cmd.exe schtasks.exe PID 1940 wrote to memory of 968 1940 cmd.exe schtasks.exe PID 1940 wrote to memory of 968 1940 cmd.exe schtasks.exe PID 1860 wrote to memory of 1640 1860 mshta.exe cmd.exe PID 1860 wrote to memory of 1640 1860 mshta.exe cmd.exe PID 1860 wrote to memory of 1640 1860 mshta.exe cmd.exe PID 1860 wrote to memory of 1640 1860 mshta.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\mshta.exe"C:\Users\Admin\AppData\Local\Temp\mshta.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ElWebsite.exe"C:\Users\Admin\AppData\Local\Temp\ElWebsite.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Mshta\Mshta.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Mshta\Mshta.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\mshta.exe" "C:\Users\Admin\AppData\Roaming\Mshta\Mshta.exe"2⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {99E8C538-B806-4591-8FC7-D0166B2E68C7} S-1-5-21-790309383-526510583-3802439154-1000:TVHJCWMH\Admin:Interactive:[1]1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ElWebsite.exeFilesize
47KB
MD539fd56f4e5a67ccf23e627f371ca9a9f
SHA1eb41ac2c14d71d48c3d64d3f2da62667cd97b799
SHA25615f62fd2ee2855349d213e5832cd50cf8e8a3f6d860630575fe7d8b18e8c66cc
SHA5126976a095b48b2834a06101a577d8288805bf0445a73c10dc04174c870ff00cb0ba0df5ebc20fb817b5ea77ee7b100aa9941df321411c31726321bcb520033065
-
C:\Users\Admin\AppData\Local\Temp\ElWebsite.exeFilesize
47KB
MD539fd56f4e5a67ccf23e627f371ca9a9f
SHA1eb41ac2c14d71d48c3d64d3f2da62667cd97b799
SHA25615f62fd2ee2855349d213e5832cd50cf8e8a3f6d860630575fe7d8b18e8c66cc
SHA5126976a095b48b2834a06101a577d8288805bf0445a73c10dc04174c870ff00cb0ba0df5ebc20fb817b5ea77ee7b100aa9941df321411c31726321bcb520033065
-
\Users\Admin\AppData\Local\Temp\ElWebsite.exeFilesize
47KB
MD539fd56f4e5a67ccf23e627f371ca9a9f
SHA1eb41ac2c14d71d48c3d64d3f2da62667cd97b799
SHA25615f62fd2ee2855349d213e5832cd50cf8e8a3f6d860630575fe7d8b18e8c66cc
SHA5126976a095b48b2834a06101a577d8288805bf0445a73c10dc04174c870ff00cb0ba0df5ebc20fb817b5ea77ee7b100aa9941df321411c31726321bcb520033065
-
memory/788-57-0x0000000000000000-mapping.dmp
-
memory/788-63-0x0000000000AB0000-0x0000000000AC2000-memory.dmpFilesize
72KB
-
memory/968-61-0x0000000000000000-mapping.dmp
-
memory/1640-62-0x0000000000000000-mapping.dmp
-
memory/1860-54-0x0000000000E40000-0x0000000000E92000-memory.dmpFilesize
328KB
-
memory/1860-55-0x0000000075E41000-0x0000000075E43000-memory.dmpFilesize
8KB
-
memory/1940-60-0x0000000000000000-mapping.dmp