Analysis
-
max time kernel
148s -
max time network
166s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 01:27
Static task
static1
Behavioral task
behavioral1
Sample
Disposable Protective Clothings.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Disposable Protective Clothings.exe
Resource
win10v2004-20220414-en
General
-
Target
Disposable Protective Clothings.exe
-
Size
376KB
-
MD5
a6b074c03b42a9675cdd237aa106cca2
-
SHA1
cc3e04c2d2ed0c0b08f4c81859f8916f4e5d8c4c
-
SHA256
13bcf525a0617b8107fa61cd8fc1b47bf37c7a91291c3a68724cf3edac4aeab7
-
SHA512
339dc09a2b3f476b81f19011f6b7118e586017a1c8dd09beff50cf2ac3f932372d7ed3e68063ae0681dae90d6457df163bce525873f14a8b8f755de22986811e
Malware Config
Extracted
asyncrat
0.5.6D
ArmaniArmani
185.165.153.215:6606
uqeolevmck
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Processes:
resource yara_rule behavioral1/memory/1664-56-0x0000000000280000-0x0000000000288000-memory.dmp coreentity -
Async RAT payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1412-63-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1412-64-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1412-65-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1412-66-0x000000000040C5FE-mapping.dmp asyncrat behavioral1/memory/1412-68-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1412-70-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/1664-57-0x0000000000680000-0x000000000069A000-memory.dmp rezer0 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Disposable Protective Clothings.exedescription pid process target process PID 1664 set thread context of 1412 1664 Disposable Protective Clothings.exe Disposable Protective Clothings.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Disposable Protective Clothings.exepid process 1664 Disposable Protective Clothings.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Disposable Protective Clothings.exedescription pid process Token: SeDebugPrivilege 1664 Disposable Protective Clothings.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Disposable Protective Clothings.exedescription pid process target process PID 1664 wrote to memory of 1816 1664 Disposable Protective Clothings.exe schtasks.exe PID 1664 wrote to memory of 1816 1664 Disposable Protective Clothings.exe schtasks.exe PID 1664 wrote to memory of 1816 1664 Disposable Protective Clothings.exe schtasks.exe PID 1664 wrote to memory of 1816 1664 Disposable Protective Clothings.exe schtasks.exe PID 1664 wrote to memory of 1412 1664 Disposable Protective Clothings.exe Disposable Protective Clothings.exe PID 1664 wrote to memory of 1412 1664 Disposable Protective Clothings.exe Disposable Protective Clothings.exe PID 1664 wrote to memory of 1412 1664 Disposable Protective Clothings.exe Disposable Protective Clothings.exe PID 1664 wrote to memory of 1412 1664 Disposable Protective Clothings.exe Disposable Protective Clothings.exe PID 1664 wrote to memory of 1412 1664 Disposable Protective Clothings.exe Disposable Protective Clothings.exe PID 1664 wrote to memory of 1412 1664 Disposable Protective Clothings.exe Disposable Protective Clothings.exe PID 1664 wrote to memory of 1412 1664 Disposable Protective Clothings.exe Disposable Protective Clothings.exe PID 1664 wrote to memory of 1412 1664 Disposable Protective Clothings.exe Disposable Protective Clothings.exe PID 1664 wrote to memory of 1412 1664 Disposable Protective Clothings.exe Disposable Protective Clothings.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Disposable Protective Clothings.exe"C:\Users\Admin\AppData\Local\Temp\Disposable Protective Clothings.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kGgFNBqpE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp27BD.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Disposable Protective Clothings.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp27BD.tmpFilesize
1KB
MD5ebada54559b3872b79bece8426d1797c
SHA1c445b71bdc40d348c188cb4c6c8808dc1298dc54
SHA25659f61b318f39a378f967eef0e6e5169e0cf14f8f4e94527107605e11259f8fdb
SHA5124b733b6bc0c459908d53788341d35a5a1a579eb84c109839385a476ab579f6e10a3b5658b1b22156292d864eba851ab73a61a1c7ff963f16d7a1e892439498b9
-
memory/1412-64-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1412-60-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1412-61-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1412-63-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1412-65-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1412-66-0x000000000040C5FE-mapping.dmp
-
memory/1412-68-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1412-70-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1664-56-0x0000000000280000-0x0000000000288000-memory.dmpFilesize
32KB
-
memory/1664-57-0x0000000000680000-0x000000000069A000-memory.dmpFilesize
104KB
-
memory/1664-55-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB
-
memory/1664-54-0x0000000010890000-0x00000000108F0000-memory.dmpFilesize
384KB
-
memory/1816-58-0x0000000000000000-mapping.dmp