Analysis
-
max time kernel
150s -
max time network
169s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 18:54
Static task
static1
Behavioral task
behavioral1
Sample
Purchase__Order.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Purchase__Order.exe
Resource
win10v2004-20220414-en
General
-
Target
Purchase__Order.exe
-
Size
535KB
-
MD5
a08f53208b0832720dc057d5b2d17e97
-
SHA1
fe2ef8a2d445b410fa67a681285a3eab290ad295
-
SHA256
ab8633debd051d65dde309e985c402d59ec5615a030c17714389c6f3e9ab3899
-
SHA512
b349117988ebb5f4f6963697cb00c1a02f18f5b5d288ba84d8429e7cb63ca145ee157d0b6c40728da2dda59611c240884c76e01252aff368fca30ceb5455f6c2
Malware Config
Extracted
asyncrat
0.5.7B
SLAVES MONDAY
194.5.98.81:3434
AsyncMutex_6363f86fs6fw6f
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 7 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\RarSFX1\MONDAY.exe asyncrat \Users\Admin\AppData\Local\Temp\RarSFX1\MONDAY.exe asyncrat \Users\Admin\AppData\Local\Temp\RarSFX1\MONDAY.exe asyncrat \Users\Admin\AppData\Local\Temp\RarSFX1\MONDAY.exe asyncrat C:\Users\Admin\AppData\Local\Temp\RarSFX1\MONDAY.exe asyncrat C:\Users\Admin\AppData\Local\Temp\RarSFX1\MONDAY.exe asyncrat behavioral1/memory/1492-78-0x0000000001050000-0x0000000001062000-memory.dmp asyncrat -
Executes dropped EXE 3 IoCs
Processes:
avd.exeMONDAY.sfx.exeMONDAY.exepid process 1648 avd.exe 388 MONDAY.sfx.exe 1492 MONDAY.exe -
Loads dropped DLL 8 IoCs
Processes:
Purchase__Order.execmd.exeMONDAY.sfx.exepid process 880 Purchase__Order.exe 880 Purchase__Order.exe 880 Purchase__Order.exe 1384 cmd.exe 388 MONDAY.sfx.exe 388 MONDAY.sfx.exe 388 MONDAY.sfx.exe 388 MONDAY.sfx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
Purchase__Order.exeavd.execmd.execmd.exeMONDAY.sfx.exedescription pid process target process PID 880 wrote to memory of 1648 880 Purchase__Order.exe avd.exe PID 880 wrote to memory of 1648 880 Purchase__Order.exe avd.exe PID 880 wrote to memory of 1648 880 Purchase__Order.exe avd.exe PID 880 wrote to memory of 1648 880 Purchase__Order.exe avd.exe PID 1648 wrote to memory of 1964 1648 avd.exe cmd.exe PID 1648 wrote to memory of 1964 1648 avd.exe cmd.exe PID 1648 wrote to memory of 1964 1648 avd.exe cmd.exe PID 1648 wrote to memory of 1964 1648 avd.exe cmd.exe PID 1964 wrote to memory of 912 1964 cmd.exe reg.exe PID 1964 wrote to memory of 912 1964 cmd.exe reg.exe PID 1964 wrote to memory of 912 1964 cmd.exe reg.exe PID 880 wrote to memory of 1384 880 Purchase__Order.exe cmd.exe PID 880 wrote to memory of 1384 880 Purchase__Order.exe cmd.exe PID 880 wrote to memory of 1384 880 Purchase__Order.exe cmd.exe PID 880 wrote to memory of 1384 880 Purchase__Order.exe cmd.exe PID 1384 wrote to memory of 388 1384 cmd.exe MONDAY.sfx.exe PID 1384 wrote to memory of 388 1384 cmd.exe MONDAY.sfx.exe PID 1384 wrote to memory of 388 1384 cmd.exe MONDAY.sfx.exe PID 1384 wrote to memory of 388 1384 cmd.exe MONDAY.sfx.exe PID 388 wrote to memory of 1492 388 MONDAY.sfx.exe MONDAY.exe PID 388 wrote to memory of 1492 388 MONDAY.sfx.exe MONDAY.exe PID 388 wrote to memory of 1492 388 MONDAY.sfx.exe MONDAY.exe PID 388 wrote to memory of 1492 388 MONDAY.sfx.exe MONDAY.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase__Order.exe"C:\Users\Admin\AppData\Local\Temp\Purchase__Order.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\avd.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\avd.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3DBD.tmp\3DBE.tmp\3DBF.bat C:\Users\Admin\AppData\Local\Temp\RarSFX0\avd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t "REG_DWORD" /d "1" /f4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\op.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MONDAY.sfx.exeMONDAY.sfx.exe -dC:\Users\Admin\AppData\Local\Temp3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\MONDAY.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\MONDAY.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3DBD.tmp\3DBE.tmp\3DBF.batFilesize
130B
MD578cf128c2c0b024aa9075d038f32c0f9
SHA1ea941836117cb9f6d87a010806bbd5df58bd938a
SHA256bc357caf1b6e8b12c5e257beaa3fe82a7b9ec2f982796ab699c86f8915e72d7e
SHA512d523de37449552b99177cc3b510f068b2b2eeb1f30309d9e99320638e25e842df61357ae031cd2662c43e76c612ed2067e7c6319bf9e2e932793f0d5ee819c08
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MONDAY.sfx.exeFilesize
315KB
MD5d5b59344064b40fcea8ed8c5efc50004
SHA192a3247139f13067cc66f30e82127026daffad8e
SHA256df0b09c6556056c0933c426ebe15c261c04a1a7eec741218dd64f6aad96f4dad
SHA5126fd8784103d49cfbfe50e4933b39a932ac5d4a1aefd646204017e42013a0d5b8f35941149b0d696bfc28f0a31237a776bcce8519ee6ca3db4fd9da73502bcb2d
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MONDAY.sfx.exeFilesize
315KB
MD5d5b59344064b40fcea8ed8c5efc50004
SHA192a3247139f13067cc66f30e82127026daffad8e
SHA256df0b09c6556056c0933c426ebe15c261c04a1a7eec741218dd64f6aad96f4dad
SHA5126fd8784103d49cfbfe50e4933b39a932ac5d4a1aefd646204017e42013a0d5b8f35941149b0d696bfc28f0a31237a776bcce8519ee6ca3db4fd9da73502bcb2d
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\avd.exeFilesize
88KB
MD50dc86efbfedebf49fdaffde6e88c3374
SHA1f25ca6d1f0f482524f7d75cd98bef6dc23a9f877
SHA25634340061108ed1dbbab5a54578e43d9bcace45b94b708633d77262adf24b96cf
SHA5121279de999c88d435872e773dba01f727f1f60c559159716e9e47cc24554a32e88289730125b7ccd8d11091403ef3cbcc08406dace05cce272964b391867748e0
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\op.batFilesize
23B
MD52feb1ba17faab82e3151b6b12c292ac4
SHA1b91a0db39c285e0899498ed9344606fff0c387b4
SHA2565fd21ddedc4fb53979a101479ed8f3216bb89c30515047242c12d09ce18a78ed
SHA51274d0fcb452f9017916ccb86a0b6ef7418bfbb34b4a54c8e9e8f756d8c7f56c7015dcd65032860ee79f3f3027998c531c3c39aa591cc80567e3727d296bc7adda
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\MONDAY.exeFilesize
45KB
MD59913d6e9c9484a53d8892b0f911b7958
SHA17f0743302ebef2442bde107aa7ee318e67a3ae1f
SHA25628f697555b087d5065726a473137ac93b5a3bcc8e61b4ef4baa732fa6f7ec229
SHA5126c1915fdc5fa991c8ad93ab2f6593edf848cac5397967bfe1610267a2f480c2af5969e3cdf8cf02c41e23a4d60d3702ec246127dc28fb94408dfee1628eaae85
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\MONDAY.exeFilesize
45KB
MD59913d6e9c9484a53d8892b0f911b7958
SHA17f0743302ebef2442bde107aa7ee318e67a3ae1f
SHA25628f697555b087d5065726a473137ac93b5a3bcc8e61b4ef4baa732fa6f7ec229
SHA5126c1915fdc5fa991c8ad93ab2f6593edf848cac5397967bfe1610267a2f480c2af5969e3cdf8cf02c41e23a4d60d3702ec246127dc28fb94408dfee1628eaae85
-
\Users\Admin\AppData\Local\Temp\RarSFX0\MONDAY.sfx.exeFilesize
315KB
MD5d5b59344064b40fcea8ed8c5efc50004
SHA192a3247139f13067cc66f30e82127026daffad8e
SHA256df0b09c6556056c0933c426ebe15c261c04a1a7eec741218dd64f6aad96f4dad
SHA5126fd8784103d49cfbfe50e4933b39a932ac5d4a1aefd646204017e42013a0d5b8f35941149b0d696bfc28f0a31237a776bcce8519ee6ca3db4fd9da73502bcb2d
-
\Users\Admin\AppData\Local\Temp\RarSFX0\avd.exeFilesize
88KB
MD50dc86efbfedebf49fdaffde6e88c3374
SHA1f25ca6d1f0f482524f7d75cd98bef6dc23a9f877
SHA25634340061108ed1dbbab5a54578e43d9bcace45b94b708633d77262adf24b96cf
SHA5121279de999c88d435872e773dba01f727f1f60c559159716e9e47cc24554a32e88289730125b7ccd8d11091403ef3cbcc08406dace05cce272964b391867748e0
-
\Users\Admin\AppData\Local\Temp\RarSFX0\avd.exeFilesize
88KB
MD50dc86efbfedebf49fdaffde6e88c3374
SHA1f25ca6d1f0f482524f7d75cd98bef6dc23a9f877
SHA25634340061108ed1dbbab5a54578e43d9bcace45b94b708633d77262adf24b96cf
SHA5121279de999c88d435872e773dba01f727f1f60c559159716e9e47cc24554a32e88289730125b7ccd8d11091403ef3cbcc08406dace05cce272964b391867748e0
-
\Users\Admin\AppData\Local\Temp\RarSFX0\avd.exeFilesize
88KB
MD50dc86efbfedebf49fdaffde6e88c3374
SHA1f25ca6d1f0f482524f7d75cd98bef6dc23a9f877
SHA25634340061108ed1dbbab5a54578e43d9bcace45b94b708633d77262adf24b96cf
SHA5121279de999c88d435872e773dba01f727f1f60c559159716e9e47cc24554a32e88289730125b7ccd8d11091403ef3cbcc08406dace05cce272964b391867748e0
-
\Users\Admin\AppData\Local\Temp\RarSFX1\MONDAY.exeFilesize
45KB
MD59913d6e9c9484a53d8892b0f911b7958
SHA17f0743302ebef2442bde107aa7ee318e67a3ae1f
SHA25628f697555b087d5065726a473137ac93b5a3bcc8e61b4ef4baa732fa6f7ec229
SHA5126c1915fdc5fa991c8ad93ab2f6593edf848cac5397967bfe1610267a2f480c2af5969e3cdf8cf02c41e23a4d60d3702ec246127dc28fb94408dfee1628eaae85
-
\Users\Admin\AppData\Local\Temp\RarSFX1\MONDAY.exeFilesize
45KB
MD59913d6e9c9484a53d8892b0f911b7958
SHA17f0743302ebef2442bde107aa7ee318e67a3ae1f
SHA25628f697555b087d5065726a473137ac93b5a3bcc8e61b4ef4baa732fa6f7ec229
SHA5126c1915fdc5fa991c8ad93ab2f6593edf848cac5397967bfe1610267a2f480c2af5969e3cdf8cf02c41e23a4d60d3702ec246127dc28fb94408dfee1628eaae85
-
\Users\Admin\AppData\Local\Temp\RarSFX1\MONDAY.exeFilesize
45KB
MD59913d6e9c9484a53d8892b0f911b7958
SHA17f0743302ebef2442bde107aa7ee318e67a3ae1f
SHA25628f697555b087d5065726a473137ac93b5a3bcc8e61b4ef4baa732fa6f7ec229
SHA5126c1915fdc5fa991c8ad93ab2f6593edf848cac5397967bfe1610267a2f480c2af5969e3cdf8cf02c41e23a4d60d3702ec246127dc28fb94408dfee1628eaae85
-
\Users\Admin\AppData\Local\Temp\RarSFX1\MONDAY.exeFilesize
45KB
MD59913d6e9c9484a53d8892b0f911b7958
SHA17f0743302ebef2442bde107aa7ee318e67a3ae1f
SHA25628f697555b087d5065726a473137ac93b5a3bcc8e61b4ef4baa732fa6f7ec229
SHA5126c1915fdc5fa991c8ad93ab2f6593edf848cac5397967bfe1610267a2f480c2af5969e3cdf8cf02c41e23a4d60d3702ec246127dc28fb94408dfee1628eaae85
-
memory/388-68-0x0000000000000000-mapping.dmp
-
memory/880-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmpFilesize
8KB
-
memory/912-63-0x0000000000000000-mapping.dmp
-
memory/1384-64-0x0000000000000000-mapping.dmp
-
memory/1492-75-0x0000000000000000-mapping.dmp
-
memory/1492-78-0x0000000001050000-0x0000000001062000-memory.dmpFilesize
72KB
-
memory/1648-58-0x0000000000000000-mapping.dmp
-
memory/1964-61-0x0000000000000000-mapping.dmp