Analysis
-
max time kernel
203s -
max time network
211s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:31
Static task
static1
Behavioral task
behavioral1
Sample
Disposable Protective Mask.exe
Resource
win7-20220414-en
General
-
Target
Disposable Protective Mask.exe
-
Size
561KB
-
MD5
6f254eb4843ee683a0c43e340bfe8840
-
SHA1
82b24614b10237c4b8ab9b31a860555be00667b7
-
SHA256
82f23154db8360127ad3fbcab71948019b0e2904c1ec65d5045722f6ee91fdce
-
SHA512
2ed7a8a383366eefb4e2fe6d23f97f2ba24b992c315d6cdde6069e2e76910413a77c20b5da71ac74b35e8bfd05f36951225afbca8035b35a82d763d49ff65d19
Malware Config
Extracted
asyncrat
0.5.6D
TINOTINO
185.165.153.215:6606
uqeolevmck
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Processes:
resource yara_rule behavioral1/memory/1472-57-0x0000000000570000-0x0000000000578000-memory.dmp coreentity -
Async RAT payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1964-64-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1964-65-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1964-66-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1964-67-0x000000000040C5FE-mapping.dmp asyncrat behavioral1/memory/1964-69-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1964-71-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/1472-58-0x0000000000B60000-0x0000000000B7A000-memory.dmp rezer0 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Disposable Protective Mask.exedescription pid process target process PID 1472 set thread context of 1964 1472 Disposable Protective Mask.exe Disposable Protective Mask.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Disposable Protective Mask.exepid process 1472 Disposable Protective Mask.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Disposable Protective Mask.exedescription pid process Token: SeDebugPrivilege 1472 Disposable Protective Mask.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Disposable Protective Mask.exedescription pid process target process PID 1472 wrote to memory of 2032 1472 Disposable Protective Mask.exe schtasks.exe PID 1472 wrote to memory of 2032 1472 Disposable Protective Mask.exe schtasks.exe PID 1472 wrote to memory of 2032 1472 Disposable Protective Mask.exe schtasks.exe PID 1472 wrote to memory of 2032 1472 Disposable Protective Mask.exe schtasks.exe PID 1472 wrote to memory of 1964 1472 Disposable Protective Mask.exe Disposable Protective Mask.exe PID 1472 wrote to memory of 1964 1472 Disposable Protective Mask.exe Disposable Protective Mask.exe PID 1472 wrote to memory of 1964 1472 Disposable Protective Mask.exe Disposable Protective Mask.exe PID 1472 wrote to memory of 1964 1472 Disposable Protective Mask.exe Disposable Protective Mask.exe PID 1472 wrote to memory of 1964 1472 Disposable Protective Mask.exe Disposable Protective Mask.exe PID 1472 wrote to memory of 1964 1472 Disposable Protective Mask.exe Disposable Protective Mask.exe PID 1472 wrote to memory of 1964 1472 Disposable Protective Mask.exe Disposable Protective Mask.exe PID 1472 wrote to memory of 1964 1472 Disposable Protective Mask.exe Disposable Protective Mask.exe PID 1472 wrote to memory of 1964 1472 Disposable Protective Mask.exe Disposable Protective Mask.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Disposable Protective Mask.exe"C:\Users\Admin\AppData\Local\Temp\Disposable Protective Mask.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vKnNDXnkQhbt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6B80.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Disposable Protective Mask.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6B80.tmpFilesize
1KB
MD58c3356d9216f61602d23b6754dc89530
SHA18ae3b74de073959817b1f53039a2f7ef9841d7b8
SHA256e0a833e320a16a7080a1a5731a6a61b0f987ddfa81470cce6a31b12e195cafea
SHA5120adf24e71276d375168fc45fe9aaffc493d686a759a5e0c32fde0c6cf4970f1df831044453a54a1179e156600e7858d71355ae8cc5bdf0756eb2fefabe4b4872
-
memory/1472-57-0x0000000000570000-0x0000000000578000-memory.dmpFilesize
32KB
-
memory/1472-55-0x0000000000370000-0x000000000038A000-memory.dmpFilesize
104KB
-
memory/1472-54-0x00000000011A0000-0x0000000001232000-memory.dmpFilesize
584KB
-
memory/1472-58-0x0000000000B60000-0x0000000000B7A000-memory.dmpFilesize
104KB
-
memory/1472-56-0x0000000076C81000-0x0000000076C83000-memory.dmpFilesize
8KB
-
memory/1964-66-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1964-61-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1964-62-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1964-64-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1964-65-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1964-67-0x000000000040C5FE-mapping.dmp
-
memory/1964-69-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1964-71-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2032-59-0x0000000000000000-mapping.dmp