Analysis
-
max time kernel
168s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 12:24
Static task
static1
Behavioral task
behavioral1
Sample
disposable protective mask.exe
Resource
win7-20220414-en
General
-
Target
disposable protective mask.exe
-
Size
538KB
-
MD5
349decc4593ee1efe629681f446c6d86
-
SHA1
c751c97becccf1c4e9f9af7009d97f7e71c13de9
-
SHA256
6c961875370f68c10a135e3d0c14ec8164bb92556a8e3482cd80b52f96e4bc52
-
SHA512
3c4df88c27c04cbd69070ea122672db265c8307a2a502b35a2887199e2013fa2fa7156b2a323dbceb771732f5415727fe7260f5100db85b2a32dd433cdd8505a
Malware Config
Extracted
asyncrat
0.5.6D
HARDHARD
185.165.153.215:6606
uqeolevmck
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/484-138-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
disposable protective mask.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation disposable protective mask.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
disposable protective mask.exedescription pid process target process PID 3588 set thread context of 484 3588 disposable protective mask.exe disposable protective mask.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
disposable protective mask.exepid process 3588 disposable protective mask.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
disposable protective mask.exedescription pid process Token: SeDebugPrivilege 3588 disposable protective mask.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
disposable protective mask.exedescription pid process target process PID 3588 wrote to memory of 544 3588 disposable protective mask.exe schtasks.exe PID 3588 wrote to memory of 544 3588 disposable protective mask.exe schtasks.exe PID 3588 wrote to memory of 544 3588 disposable protective mask.exe schtasks.exe PID 3588 wrote to memory of 484 3588 disposable protective mask.exe disposable protective mask.exe PID 3588 wrote to memory of 484 3588 disposable protective mask.exe disposable protective mask.exe PID 3588 wrote to memory of 484 3588 disposable protective mask.exe disposable protective mask.exe PID 3588 wrote to memory of 484 3588 disposable protective mask.exe disposable protective mask.exe PID 3588 wrote to memory of 484 3588 disposable protective mask.exe disposable protective mask.exe PID 3588 wrote to memory of 484 3588 disposable protective mask.exe disposable protective mask.exe PID 3588 wrote to memory of 484 3588 disposable protective mask.exe disposable protective mask.exe PID 3588 wrote to memory of 484 3588 disposable protective mask.exe disposable protective mask.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\disposable protective mask.exe"C:\Users\Admin\AppData\Local\Temp\disposable protective mask.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aBEHIFQnafbJqs" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF6D8.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\disposable protective mask.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\disposable protective mask.exe.logFilesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
C:\Users\Admin\AppData\Local\Temp\tmpF6D8.tmpFilesize
1KB
MD5cdcb02e7ca5ca26668254b7041894342
SHA1864429c5e474e2541550cd872434437043d08a38
SHA256e67df0fd56c160938a3cf8f34adbbf2b922230e23bee13fe615ceff64bced581
SHA512b77e52cabf53640badc8c57af8e8ac730dcc6accd623298c27ae02e83472c259033ac5902b6d3abec25b7243f84bfbb004013d96e792172ed471f269c25785d8
-
memory/484-137-0x0000000000000000-mapping.dmp
-
memory/484-138-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/544-135-0x0000000000000000-mapping.dmp
-
memory/3588-130-0x0000000000AE0000-0x0000000000B6C000-memory.dmpFilesize
560KB
-
memory/3588-131-0x0000000009ED0000-0x000000000A474000-memory.dmpFilesize
5.6MB
-
memory/3588-132-0x0000000005770000-0x0000000005802000-memory.dmpFilesize
584KB
-
memory/3588-133-0x0000000005720000-0x000000000572A000-memory.dmpFilesize
40KB
-
memory/3588-134-0x0000000009D20000-0x0000000009DBC000-memory.dmpFilesize
624KB