Analysis
-
max time kernel
153s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 01:27
General
-
Target
Disposable Protective Clothings.exe
-
Size
376KB
-
MD5
a6b074c03b42a9675cdd237aa106cca2
-
SHA1
cc3e04c2d2ed0c0b08f4c81859f8916f4e5d8c4c
-
SHA256
13bcf525a0617b8107fa61cd8fc1b47bf37c7a91291c3a68724cf3edac4aeab7
-
SHA512
339dc09a2b3f476b81f19011f6b7118e586017a1c8dd09beff50cf2ac3f932372d7ed3e68063ae0681dae90d6457df163bce525873f14a8b8f755de22986811e
Malware Config
Extracted
asyncrat
0.5.6D
ArmaniArmani
185.165.153.215:6606
uqeolevmck
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Async RAT payload 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Disposable Protective Clothings.exe"C:\Users\Admin\AppData\Local\Temp\Disposable Protective Clothings.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kGgFNBqpE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9436.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Disposable Protective Clothings.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Disposable Protective Clothings.exe.logFilesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
C:\Users\Admin\AppData\Local\Temp\tmp9436.tmpFilesize
1KB
MD50bdf0cc3e901adfb56622b7536de20a5
SHA1c68e225ea255b0c748ace6a3ab6ac1729ddfae91
SHA256535e44e8c8207488248a82b3c261ee3563e9b5001d1fe5690b488528cde9f3b7
SHA51261e6342149410469592972556e83e2fd24965b0be3e8fb6d9116cc72906f16930426420c8ed2082a3eac55a986cba3552a9e988d24e9c0df2d696465a92bca8f
-
memory/384-137-0x0000000000000000-mapping.dmp
-
memory/384-138-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2864-130-0x0000000000E00000-0x0000000000E60000-memory.dmpFilesize
384KB
-
memory/2864-131-0x0000000005CC0000-0x0000000006264000-memory.dmpFilesize
5.6MB
-
memory/2864-132-0x00000000057F0000-0x0000000005882000-memory.dmpFilesize
584KB
-
memory/2864-133-0x0000000005990000-0x000000000599A000-memory.dmpFilesize
40KB
-
memory/2864-134-0x0000000007EE0000-0x0000000007F7C000-memory.dmpFilesize
624KB
-
memory/3972-135-0x0000000000000000-mapping.dmp