Analysis
-
max time kernel
177s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 11:41
Static task
static1
Behavioral task
behavioral1
Sample
Doc#662020094753525765678.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Doc#662020094753525765678.exe
Resource
win10v2004-20220414-en
General
-
Target
Doc#662020094753525765678.exe
-
Size
301KB
-
MD5
9b70f0dee9fa7de571b2c08a6f3a9a75
-
SHA1
f3ad5f3cabe73c60c795c3367faaca682ddc1cc9
-
SHA256
249b086fbb970eefa5bc4c9bcebcda1e8a638ed82a1bbf1a106cfe3807e3e121
-
SHA512
2d47ea2d01e5643e5e5bec7e4b44e2c6cbc5c69f233bef27def943343403733a484baa58b90699f8ca29be52086750d505c47d876f8076ca363797be2f5badd7
Malware Config
Extracted
asyncrat
0.5.7B
DIRECT
chizzy25@@!7^UPCAZ
-
delay
3
-
install
false
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/HKYwiN9V
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2196-144-0x0000000000190000-0x00000000001A2000-memory.dmp asyncrat -
Executes dropped EXE 2 IoCs
Processes:
dwrn.exeAddInProcess32.exepid process 4808 dwrn.exe 2196 AddInProcess32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Doc#662020094753525765678.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation Doc#662020094753525765678.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ggxdtysjyux = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\AppData\\Roaming\\dwrn.exe" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
dwrn.exedescription pid process target process PID 4808 set thread context of 2196 4808 dwrn.exe AddInProcess32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
Doc#662020094753525765678.exedwrn.exepid process 3688 Doc#662020094753525765678.exe 3688 Doc#662020094753525765678.exe 3688 Doc#662020094753525765678.exe 3688 Doc#662020094753525765678.exe 3688 Doc#662020094753525765678.exe 3688 Doc#662020094753525765678.exe 3688 Doc#662020094753525765678.exe 3688 Doc#662020094753525765678.exe 3688 Doc#662020094753525765678.exe 3688 Doc#662020094753525765678.exe 3688 Doc#662020094753525765678.exe 3688 Doc#662020094753525765678.exe 3688 Doc#662020094753525765678.exe 3688 Doc#662020094753525765678.exe 3688 Doc#662020094753525765678.exe 3688 Doc#662020094753525765678.exe 3688 Doc#662020094753525765678.exe 3688 Doc#662020094753525765678.exe 3688 Doc#662020094753525765678.exe 3688 Doc#662020094753525765678.exe 3688 Doc#662020094753525765678.exe 3688 Doc#662020094753525765678.exe 4808 dwrn.exe 4808 dwrn.exe 4808 dwrn.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Doc#662020094753525765678.exedwrn.exeAddInProcess32.exedescription pid process Token: SeDebugPrivilege 3688 Doc#662020094753525765678.exe Token: SeDebugPrivilege 4808 dwrn.exe Token: SeDebugPrivilege 2196 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Doc#662020094753525765678.execmd.exedwrn.exedescription pid process target process PID 3688 wrote to memory of 4864 3688 Doc#662020094753525765678.exe cmd.exe PID 3688 wrote to memory of 4864 3688 Doc#662020094753525765678.exe cmd.exe PID 3688 wrote to memory of 4864 3688 Doc#662020094753525765678.exe cmd.exe PID 4864 wrote to memory of 4936 4864 cmd.exe reg.exe PID 4864 wrote to memory of 4936 4864 cmd.exe reg.exe PID 4864 wrote to memory of 4936 4864 cmd.exe reg.exe PID 3688 wrote to memory of 4808 3688 Doc#662020094753525765678.exe dwrn.exe PID 3688 wrote to memory of 4808 3688 Doc#662020094753525765678.exe dwrn.exe PID 3688 wrote to memory of 4808 3688 Doc#662020094753525765678.exe dwrn.exe PID 4808 wrote to memory of 2196 4808 dwrn.exe AddInProcess32.exe PID 4808 wrote to memory of 2196 4808 dwrn.exe AddInProcess32.exe PID 4808 wrote to memory of 2196 4808 dwrn.exe AddInProcess32.exe PID 4808 wrote to memory of 2196 4808 dwrn.exe AddInProcess32.exe PID 4808 wrote to memory of 2196 4808 dwrn.exe AddInProcess32.exe PID 4808 wrote to memory of 2196 4808 dwrn.exe AddInProcess32.exe PID 4808 wrote to memory of 2196 4808 dwrn.exe AddInProcess32.exe PID 4808 wrote to memory of 2196 4808 dwrn.exe AddInProcess32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Doc#662020094753525765678.exe"C:\Users\Admin\AppData\Local\Temp\Doc#662020094753525765678.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v ggxdtysjyux /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\dwrn.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v ggxdtysjyux /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\dwrn.exe"3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\dwrn.exe"C:\Users\Admin\AppData\Roaming\dwrn.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exeFilesize
42KB
MD59827ff3cdf4b83f9c86354606736ca9c
SHA1e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723
SHA256c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a
SHA5128261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exeFilesize
42KB
MD59827ff3cdf4b83f9c86354606736ca9c
SHA1e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723
SHA256c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a
SHA5128261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579
-
C:\Users\Admin\AppData\Roaming\dwrn.exeFilesize
301KB
MD59b70f0dee9fa7de571b2c08a6f3a9a75
SHA1f3ad5f3cabe73c60c795c3367faaca682ddc1cc9
SHA256249b086fbb970eefa5bc4c9bcebcda1e8a638ed82a1bbf1a106cfe3807e3e121
SHA5122d47ea2d01e5643e5e5bec7e4b44e2c6cbc5c69f233bef27def943343403733a484baa58b90699f8ca29be52086750d505c47d876f8076ca363797be2f5badd7
-
C:\Users\Admin\AppData\Roaming\dwrn.exeFilesize
301KB
MD59b70f0dee9fa7de571b2c08a6f3a9a75
SHA1f3ad5f3cabe73c60c795c3367faaca682ddc1cc9
SHA256249b086fbb970eefa5bc4c9bcebcda1e8a638ed82a1bbf1a106cfe3807e3e121
SHA5122d47ea2d01e5643e5e5bec7e4b44e2c6cbc5c69f233bef27def943343403733a484baa58b90699f8ca29be52086750d505c47d876f8076ca363797be2f5badd7
-
memory/2196-144-0x0000000000190000-0x00000000001A2000-memory.dmpFilesize
72KB
-
memory/2196-140-0x0000000000000000-mapping.dmp
-
memory/3688-133-0x0000000005680000-0x00000000056A2000-memory.dmpFilesize
136KB
-
memory/3688-134-0x00000000058E0000-0x0000000005972000-memory.dmpFilesize
584KB
-
memory/3688-130-0x0000000000C50000-0x0000000000CA0000-memory.dmpFilesize
320KB
-
memory/3688-132-0x0000000005630000-0x0000000005674000-memory.dmpFilesize
272KB
-
memory/3688-131-0x0000000005B50000-0x00000000060F4000-memory.dmpFilesize
5.6MB
-
memory/4808-137-0x0000000000000000-mapping.dmp
-
memory/4864-135-0x0000000000000000-mapping.dmp
-
memory/4936-136-0x0000000000000000-mapping.dmp