Analysis
-
max time kernel
90s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
19-05-2022 02:05
Static task
static1
Behavioral task
behavioral1
Sample
mshta.exe
Resource
win7-20220414-en
General
-
Target
mshta.exe
-
Size
304KB
-
MD5
b28ddf547716c0cdee99d4e5f261704d
-
SHA1
cef47d43a0809616fbdb980b7864b4cef8ed2943
-
SHA256
89aacd427f262a4a5b09af5c8abdeabc7f39a1d618a01a5a79074ebb62bb065e
-
SHA512
c78e8c4b9d871e3df72f7ecdad2a179225df6887adc9db63746bbbc6fd7ae1d3cfdd5dcbde039790bbc84193a9f5eb8516df716d614a88181b8253c5c188c24b
Malware Config
Extracted
asyncrat
1.0.7
mshta
mshta
-
delay
1
-
install
false
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/tefSYKAL
Signatures
-
Async RAT payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\ElWebsite.exe asyncrat C:\Users\Admin\AppData\Local\Temp\ElWebsite.exe asyncrat behavioral2/memory/1588-137-0x0000000000AC0000-0x0000000000AD2000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
Processes:
ElWebsite.exepid process 1588 ElWebsite.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation mshta.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
mshta.exepid process 2820 mshta.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
mshta.exeElWebsite.exedescription pid process Token: SeDebugPrivilege 2820 mshta.exe Token: SeDebugPrivilege 1588 ElWebsite.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
mshta.execmd.exedescription pid process target process PID 2820 wrote to memory of 1588 2820 mshta.exe ElWebsite.exe PID 2820 wrote to memory of 1588 2820 mshta.exe ElWebsite.exe PID 2820 wrote to memory of 5016 2820 mshta.exe cmd.exe PID 2820 wrote to memory of 5016 2820 mshta.exe cmd.exe PID 2820 wrote to memory of 5016 2820 mshta.exe cmd.exe PID 5016 wrote to memory of 4268 5016 cmd.exe schtasks.exe PID 5016 wrote to memory of 4268 5016 cmd.exe schtasks.exe PID 5016 wrote to memory of 4268 5016 cmd.exe schtasks.exe PID 2820 wrote to memory of 4380 2820 mshta.exe cmd.exe PID 2820 wrote to memory of 4380 2820 mshta.exe cmd.exe PID 2820 wrote to memory of 4380 2820 mshta.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\mshta.exe"C:\Users\Admin\AppData\Local\Temp\mshta.exe"1⤵
- Checks computer location settings
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ElWebsite.exe"C:\Users\Admin\AppData\Local\Temp\ElWebsite.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Mshta\Mshta.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Mshta\Mshta.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\mshta.exe" "C:\Users\Admin\AppData\Roaming\Mshta\Mshta.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ElWebsite.exeFilesize
47KB
MD539fd56f4e5a67ccf23e627f371ca9a9f
SHA1eb41ac2c14d71d48c3d64d3f2da62667cd97b799
SHA25615f62fd2ee2855349d213e5832cd50cf8e8a3f6d860630575fe7d8b18e8c66cc
SHA5126976a095b48b2834a06101a577d8288805bf0445a73c10dc04174c870ff00cb0ba0df5ebc20fb817b5ea77ee7b100aa9941df321411c31726321bcb520033065
-
C:\Users\Admin\AppData\Local\Temp\ElWebsite.exeFilesize
47KB
MD539fd56f4e5a67ccf23e627f371ca9a9f
SHA1eb41ac2c14d71d48c3d64d3f2da62667cd97b799
SHA25615f62fd2ee2855349d213e5832cd50cf8e8a3f6d860630575fe7d8b18e8c66cc
SHA5126976a095b48b2834a06101a577d8288805bf0445a73c10dc04174c870ff00cb0ba0df5ebc20fb817b5ea77ee7b100aa9941df321411c31726321bcb520033065
-
memory/1588-134-0x0000000000000000-mapping.dmp
-
memory/1588-137-0x0000000000AC0000-0x0000000000AD2000-memory.dmpFilesize
72KB
-
memory/1588-141-0x00007FF8786D0000-0x00007FF879191000-memory.dmpFilesize
10.8MB
-
memory/2820-130-0x0000000000D50000-0x0000000000DA2000-memory.dmpFilesize
328KB
-
memory/2820-131-0x00000000051B0000-0x0000000005754000-memory.dmpFilesize
5.6MB
-
memory/2820-132-0x0000000004C00000-0x0000000004C92000-memory.dmpFilesize
584KB
-
memory/2820-133-0x0000000004EC0000-0x0000000004ECA000-memory.dmpFilesize
40KB
-
memory/4268-139-0x0000000000000000-mapping.dmp
-
memory/4380-140-0x0000000000000000-mapping.dmp
-
memory/5016-138-0x0000000000000000-mapping.dmp