Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:24
General
-
Target
disposable protective mask.exe
-
Size
538KB
-
MD5
349decc4593ee1efe629681f446c6d86
-
SHA1
c751c97becccf1c4e9f9af7009d97f7e71c13de9
-
SHA256
6c961875370f68c10a135e3d0c14ec8164bb92556a8e3482cd80b52f96e4bc52
-
SHA512
3c4df88c27c04cbd69070ea122672db265c8307a2a502b35a2887199e2013fa2fa7156b2a323dbceb771732f5415727fe7260f5100db85b2a32dd433cdd8505a
Malware Config
Extracted
asyncrat
0.5.6D
HARDHARD
185.165.153.215:6606
uqeolevmck
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
Async RAT payload 6 IoCs
-
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\disposable protective mask.exe"C:\Users\Admin\AppData\Local\Temp\disposable protective mask.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aBEHIFQnafbJqs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp15E2.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\disposable protective mask.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp15E2.tmpFilesize
1KB
MD5386d7f200440fcd3bfa1ac647f9a030a
SHA18860788648f3bf5a921b0bd362f59c36d0d816c8
SHA256aed9c7c64724ff0275d2801b3d97f8a052bab8c7099928c864210de5d437ee50
SHA512fdce50a02bba846352a9d68fac79172ebfd65e51d514e942f63fc2e3b2642377af4d9a594effc25c478b2fccb8f47bab32ab1206f0c5e12d865d9a63abf25e68
-
memory/940-59-0x0000000000000000-mapping.dmp
-
memory/1304-64-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1304-61-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1304-62-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1304-65-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1304-66-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1304-67-0x000000000040C5FE-mapping.dmp
-
memory/1304-69-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1304-71-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1552-57-0x00000000004E0000-0x00000000004E8000-memory.dmpFilesize
32KB
-
memory/1552-58-0x0000000000590000-0x00000000005AA000-memory.dmpFilesize
104KB
-
memory/1552-56-0x0000000075B61000-0x0000000075B63000-memory.dmpFilesize
8KB
-
memory/1552-55-0x0000000000260000-0x000000000027A000-memory.dmpFilesize
104KB
-
memory/1552-54-0x0000000000990000-0x0000000000A1C000-memory.dmpFilesize
560KB