Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 02:32
Static task
static1
Behavioral task
behavioral1
Sample
KR-310820.exe
Resource
win7-20220414-en
General
-
Target
KR-310820.exe
-
Size
896KB
-
MD5
685be020460aac060f121dd2d689cc2e
-
SHA1
eca95082e24b2d15c1cc9f18d8083b9527b23eae
-
SHA256
c2e6a6a4dcceeb65c2b769b92223c4b5c6de325709146391a4863dd56f4eb3d1
-
SHA512
c2d1330653a2a15d4a84ecaa003e4879bab4116d603a78d0e2adee92e8b0ea728ee284d7d59e73be083274637ce02df96c50ce6ee149d4b9dc4b00a43c93b055
Malware Config
Extracted
asyncrat
0.5.7B
newjob1
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/eeJq8Ku6
Signatures
-
Async RAT payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1976-64-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1976-65-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1976-67-0x000000000040C75E-mapping.dmp asyncrat behavioral1/memory/1976-66-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1976-69-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1976-71-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
KR-310820.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion KR-310820.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion KR-310820.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
KR-310820.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum KR-310820.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 KR-310820.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
KR-310820.exedescription pid process target process PID 1800 set thread context of 1976 1800 KR-310820.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
KR-310820.exepid process 1800 KR-310820.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
KR-310820.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 1800 KR-310820.exe Token: SeDebugPrivilege 1976 MSBuild.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
KR-310820.exedescription pid process target process PID 1800 wrote to memory of 528 1800 KR-310820.exe schtasks.exe PID 1800 wrote to memory of 528 1800 KR-310820.exe schtasks.exe PID 1800 wrote to memory of 528 1800 KR-310820.exe schtasks.exe PID 1800 wrote to memory of 528 1800 KR-310820.exe schtasks.exe PID 1800 wrote to memory of 1976 1800 KR-310820.exe MSBuild.exe PID 1800 wrote to memory of 1976 1800 KR-310820.exe MSBuild.exe PID 1800 wrote to memory of 1976 1800 KR-310820.exe MSBuild.exe PID 1800 wrote to memory of 1976 1800 KR-310820.exe MSBuild.exe PID 1800 wrote to memory of 1976 1800 KR-310820.exe MSBuild.exe PID 1800 wrote to memory of 1976 1800 KR-310820.exe MSBuild.exe PID 1800 wrote to memory of 1976 1800 KR-310820.exe MSBuild.exe PID 1800 wrote to memory of 1976 1800 KR-310820.exe MSBuild.exe PID 1800 wrote to memory of 1976 1800 KR-310820.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\KR-310820.exe"C:\Users\Admin\AppData\Local\Temp\KR-310820.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fuWPvVaSzDbeET" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7D7A.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp7D7A.tmpFilesize
1KB
MD5473ef479bdccb0dd4a477ca10fd9857e
SHA144134a017763e8c638fcfae9dcf153f521e9e12f
SHA256128532924f6b312b315540beeafc33031712639897853ddb7cd33d848b47628e
SHA512e1463589d8f6e14cb2444b6ab13a17ccda1909e6fa1e9774f0f7933b7cbf99f10ec8baa01ac0a3173a954c04e4f62b1a24596bca2829c3fef8914227727e8ef3
-
memory/528-59-0x0000000000000000-mapping.dmp
-
memory/1800-57-0x0000000004AB0000-0x0000000004AFC000-memory.dmpFilesize
304KB
-
memory/1800-54-0x0000000000350000-0x0000000000436000-memory.dmpFilesize
920KB
-
memory/1800-58-0x00000000008A0000-0x00000000008C2000-memory.dmpFilesize
136KB
-
memory/1800-56-0x00000000004F0000-0x0000000000500000-memory.dmpFilesize
64KB
-
memory/1800-55-0x0000000074E91000-0x0000000074E93000-memory.dmpFilesize
8KB
-
memory/1976-61-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1976-62-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1976-64-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1976-65-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1976-67-0x000000000040C75E-mapping.dmp
-
memory/1976-66-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1976-69-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1976-71-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB