Analysis
-
max time kernel
140s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:21
Static task
static1
Behavioral task
behavioral1
Sample
顧客訂單_081720.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
顧客訂單_081720.exe
Resource
win10v2004-20220414-en
General
-
Target
顧客訂單_081720.exe
-
Size
399KB
-
MD5
fca5062e93aad2523c6bb28f1147629d
-
SHA1
9269d7bdd9332107c524ad9280dfb8cef0bcc6a2
-
SHA256
9be04012b4927a7e93498068acaaac6e157192df66509a20079fa39084735247
-
SHA512
9195d99b6d8c547920a13f7a483fa71706145f09f1aa7ea3c552e5d48ed9a824314ccaefa30b0a869bbc7a6c82483be350a8ca759ac3eeabe9026432c104ab45
Malware Config
Extracted
asyncrat
0.5.7B
GOD'S MERCY
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/reQxa5Ah
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/116-140-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
顧客訂單_081720.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 顧客訂單_081720.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
顧客訂單_081720.exedescription pid process target process PID 4028 set thread context of 116 4028 顧客訂單_081720.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
顧客訂單_081720.exepid process 4028 顧客訂單_081720.exe 4028 顧客訂單_081720.exe 4028 顧客訂單_081720.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
顧客訂單_081720.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 4028 顧客訂單_081720.exe Token: SeDebugPrivilege 116 MSBuild.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
顧客訂單_081720.exedescription pid process target process PID 4028 wrote to memory of 4840 4028 顧客訂單_081720.exe schtasks.exe PID 4028 wrote to memory of 4840 4028 顧客訂單_081720.exe schtasks.exe PID 4028 wrote to memory of 4840 4028 顧客訂單_081720.exe schtasks.exe PID 4028 wrote to memory of 216 4028 顧客訂單_081720.exe MSBuild.exe PID 4028 wrote to memory of 216 4028 顧客訂單_081720.exe MSBuild.exe PID 4028 wrote to memory of 216 4028 顧客訂單_081720.exe MSBuild.exe PID 4028 wrote to memory of 116 4028 顧客訂單_081720.exe MSBuild.exe PID 4028 wrote to memory of 116 4028 顧客訂單_081720.exe MSBuild.exe PID 4028 wrote to memory of 116 4028 顧客訂單_081720.exe MSBuild.exe PID 4028 wrote to memory of 116 4028 顧客訂單_081720.exe MSBuild.exe PID 4028 wrote to memory of 116 4028 顧客訂單_081720.exe MSBuild.exe PID 4028 wrote to memory of 116 4028 顧客訂單_081720.exe MSBuild.exe PID 4028 wrote to memory of 116 4028 顧客訂單_081720.exe MSBuild.exe PID 4028 wrote to memory of 116 4028 顧客訂單_081720.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\顧客訂單_081720.exe"C:\Users\Admin\AppData\Local\Temp\顧客訂單_081720.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SzJeVYqHm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7F52.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp7F52.tmpFilesize
1KB
MD55e5c2a7e2a267be24b685d5b83d9089a
SHA148181b606f60015b866058c695a5e116b2d3df67
SHA256f2b4a503ffcd43ea7dc9cc35e1fac15d0cfa27135f71dec50b8ce2a453331b25
SHA512516d5bcb32310546609886ef38f723e6a2668b994e67b8dae2ffe556dab6fe6bba82e91feabc119543ec262d9d3fe71148937766d5e1566713911ecc5cf9a5f9
-
memory/116-139-0x0000000000000000-mapping.dmp
-
memory/116-140-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/216-138-0x0000000000000000-mapping.dmp
-
memory/4028-130-0x00000000009E0000-0x0000000000A4C000-memory.dmpFilesize
432KB
-
memory/4028-131-0x0000000005310000-0x00000000053AC000-memory.dmpFilesize
624KB
-
memory/4028-132-0x00000000059D0000-0x0000000005F74000-memory.dmpFilesize
5.6MB
-
memory/4028-133-0x0000000005420000-0x00000000054B2000-memory.dmpFilesize
584KB
-
memory/4028-134-0x0000000002E40000-0x0000000002E4A000-memory.dmpFilesize
40KB
-
memory/4028-135-0x00000000053B0000-0x0000000005406000-memory.dmpFilesize
344KB
-
memory/4840-136-0x0000000000000000-mapping.dmp