Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:24
Static task
static1
Behavioral task
behavioral1
Sample
disposable protective mask.exe
Resource
win7-20220414-en
General
-
Target
disposable protective mask.exe
-
Size
538KB
-
MD5
349decc4593ee1efe629681f446c6d86
-
SHA1
c751c97becccf1c4e9f9af7009d97f7e71c13de9
-
SHA256
6c961875370f68c10a135e3d0c14ec8164bb92556a8e3482cd80b52f96e4bc52
-
SHA512
3c4df88c27c04cbd69070ea122672db265c8307a2a502b35a2887199e2013fa2fa7156b2a323dbceb771732f5415727fe7260f5100db85b2a32dd433cdd8505a
Malware Config
Extracted
asyncrat
0.5.6D
HARDHARD
185.165.153.215:6606
uqeolevmck
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Processes:
resource yara_rule behavioral1/memory/1552-57-0x00000000004E0000-0x00000000004E8000-memory.dmp coreentity -
Async RAT payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1304-64-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1304-65-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1304-66-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1304-67-0x000000000040C5FE-mapping.dmp asyncrat behavioral1/memory/1304-69-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1304-71-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/1552-58-0x0000000000590000-0x00000000005AA000-memory.dmp rezer0 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
disposable protective mask.exedescription pid process target process PID 1552 set thread context of 1304 1552 disposable protective mask.exe disposable protective mask.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
disposable protective mask.exedescription pid process target process PID 1552 wrote to memory of 940 1552 disposable protective mask.exe schtasks.exe PID 1552 wrote to memory of 940 1552 disposable protective mask.exe schtasks.exe PID 1552 wrote to memory of 940 1552 disposable protective mask.exe schtasks.exe PID 1552 wrote to memory of 940 1552 disposable protective mask.exe schtasks.exe PID 1552 wrote to memory of 1304 1552 disposable protective mask.exe disposable protective mask.exe PID 1552 wrote to memory of 1304 1552 disposable protective mask.exe disposable protective mask.exe PID 1552 wrote to memory of 1304 1552 disposable protective mask.exe disposable protective mask.exe PID 1552 wrote to memory of 1304 1552 disposable protective mask.exe disposable protective mask.exe PID 1552 wrote to memory of 1304 1552 disposable protective mask.exe disposable protective mask.exe PID 1552 wrote to memory of 1304 1552 disposable protective mask.exe disposable protective mask.exe PID 1552 wrote to memory of 1304 1552 disposable protective mask.exe disposable protective mask.exe PID 1552 wrote to memory of 1304 1552 disposable protective mask.exe disposable protective mask.exe PID 1552 wrote to memory of 1304 1552 disposable protective mask.exe disposable protective mask.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\disposable protective mask.exe"C:\Users\Admin\AppData\Local\Temp\disposable protective mask.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aBEHIFQnafbJqs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp15E2.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\disposable protective mask.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp15E2.tmpFilesize
1KB
MD5386d7f200440fcd3bfa1ac647f9a030a
SHA18860788648f3bf5a921b0bd362f59c36d0d816c8
SHA256aed9c7c64724ff0275d2801b3d97f8a052bab8c7099928c864210de5d437ee50
SHA512fdce50a02bba846352a9d68fac79172ebfd65e51d514e942f63fc2e3b2642377af4d9a594effc25c478b2fccb8f47bab32ab1206f0c5e12d865d9a63abf25e68
-
memory/940-59-0x0000000000000000-mapping.dmp
-
memory/1304-64-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1304-61-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1304-62-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1304-65-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1304-66-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1304-67-0x000000000040C5FE-mapping.dmp
-
memory/1304-69-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1304-71-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1552-57-0x00000000004E0000-0x00000000004E8000-memory.dmpFilesize
32KB
-
memory/1552-58-0x0000000000590000-0x00000000005AA000-memory.dmpFilesize
104KB
-
memory/1552-56-0x0000000075B61000-0x0000000075B63000-memory.dmpFilesize
8KB
-
memory/1552-55-0x0000000000260000-0x000000000027A000-memory.dmpFilesize
104KB
-
memory/1552-54-0x0000000000990000-0x0000000000A1C000-memory.dmpFilesize
560KB