Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 03:23
Static task
static1
Behavioral task
behavioral1
Sample
AWB#5305323204641,pdf.exe
Resource
win7-20220414-en
General
-
Target
AWB#5305323204641,pdf.exe
-
Size
233KB
-
MD5
88e05a7f3b27e3aed5d577949c867917
-
SHA1
180a4cabbb5ea319ff1210f5686c7779d0dd58c7
-
SHA256
f3b33a885af940210f10df7e1c96dc388161961dcb52b6d84c3b7458d20ce116
-
SHA512
3d42bc7888584efea5d8a0a48b6293c54405d0186f3d8a45741f4e371ee143a5d1411be8f69dbe5aa5957b8dbad921100872206408a431849de4c826db875bbe
Malware Config
Extracted
asyncrat
0.5.7B
MAY11thUP
chizzy25@!7^UP
-
delay
3
-
install
false
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/HKYwiN9V
Signatures
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Processes:
resource yara_rule behavioral1/memory/316-56-0x0000000000280000-0x0000000000288000-memory.dmp coreentity -
Async RAT payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/612-63-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/612-64-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/612-65-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/612-66-0x000000000040C73E-mapping.dmp asyncrat behavioral1/memory/612-68-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/612-70-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/316-57-0x0000000000650000-0x0000000000668000-memory.dmp rezer0 -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
AWB#5305323204641,pdf.exedescription pid process target process PID 316 set thread context of 612 316 AWB#5305323204641,pdf.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 612 MSBuild.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
AWB#5305323204641,pdf.exedescription pid process target process PID 316 wrote to memory of 892 316 AWB#5305323204641,pdf.exe schtasks.exe PID 316 wrote to memory of 892 316 AWB#5305323204641,pdf.exe schtasks.exe PID 316 wrote to memory of 892 316 AWB#5305323204641,pdf.exe schtasks.exe PID 316 wrote to memory of 892 316 AWB#5305323204641,pdf.exe schtasks.exe PID 316 wrote to memory of 612 316 AWB#5305323204641,pdf.exe MSBuild.exe PID 316 wrote to memory of 612 316 AWB#5305323204641,pdf.exe MSBuild.exe PID 316 wrote to memory of 612 316 AWB#5305323204641,pdf.exe MSBuild.exe PID 316 wrote to memory of 612 316 AWB#5305323204641,pdf.exe MSBuild.exe PID 316 wrote to memory of 612 316 AWB#5305323204641,pdf.exe MSBuild.exe PID 316 wrote to memory of 612 316 AWB#5305323204641,pdf.exe MSBuild.exe PID 316 wrote to memory of 612 316 AWB#5305323204641,pdf.exe MSBuild.exe PID 316 wrote to memory of 612 316 AWB#5305323204641,pdf.exe MSBuild.exe PID 316 wrote to memory of 612 316 AWB#5305323204641,pdf.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AWB#5305323204641,pdf.exe"C:\Users\Admin\AppData\Local\Temp\AWB#5305323204641,pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aDOhVHp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFEF8.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpFEF8.tmpFilesize
1KB
MD563b28dfbb68dc02379d03880b379daf0
SHA16ad3b824907ed37546e731523a0b753a4c896cd5
SHA2567b88e8b0e0f14c75055e97bc3691c74507077b93530f676f5770cc5a3f5a93a0
SHA512a0a8604aad025b48ccae5aeffb4cf0d64410853a8d3b574c8eb42cb2f60e183f9fee6d1af5391f790f026f39ffe5bc948828e6f0b17cbad8fa52a8aecdcff216
-
memory/316-55-0x00000000769D1000-0x00000000769D3000-memory.dmpFilesize
8KB
-
memory/316-56-0x0000000000280000-0x0000000000288000-memory.dmpFilesize
32KB
-
memory/316-57-0x0000000000650000-0x0000000000668000-memory.dmpFilesize
96KB
-
memory/316-54-0x00000000001E0000-0x0000000000220000-memory.dmpFilesize
256KB
-
memory/612-60-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/612-61-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/612-63-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/612-64-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/612-65-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/612-66-0x000000000040C73E-mapping.dmp
-
memory/612-68-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/612-70-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/892-58-0x0000000000000000-mapping.dmp