Analysis
-
max time kernel
140s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 18:56
Static task
static1
Behavioral task
behavioral1
Sample
AWB#5305323204669,pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
AWB#5305323204669,pdf.exe
Resource
win10v2004-20220414-en
General
-
Target
AWB#5305323204669,pdf.exe
-
Size
233KB
-
MD5
dab03f72d77a672205cc10130d2654c6
-
SHA1
83241c5520fdfc26aa7fe4d282f7e7de9018616b
-
SHA256
79125331a3e97dca7542b0f146bcb41429eebf7b790014317463c9239601421a
-
SHA512
1fad7ea231e95080ceef91d02d972db60a8d9096a7d6b3c7d50243b62eb7b07999d1af919787c11f9d3bae8d0fe257e4b97b6fada39e0cf436ef6d00423b5262
Malware Config
Extracted
asyncrat
0.5.7B
AWKASUNDAYNIGHT
chizzy25@!7^UPC
-
delay
3
-
install
false
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/HKYwiN9V
Signatures
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Processes:
resource yara_rule behavioral1/memory/1856-56-0x00000000004B0000-0x00000000004B8000-memory.dmp coreentity -
Async RAT payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2028-63-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/2028-64-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/2028-65-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/2028-66-0x000000000040C73E-mapping.dmp asyncrat behavioral1/memory/2028-68-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/2028-70-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/1856-57-0x0000000000B40000-0x0000000000B58000-memory.dmp rezer0 -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
AWB#5305323204669,pdf.exedescription pid process target process PID 1856 set thread context of 2028 1856 AWB#5305323204669,pdf.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
AWB#5305323204669,pdf.exepid process 1856 AWB#5305323204669,pdf.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AWB#5305323204669,pdf.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 1856 AWB#5305323204669,pdf.exe Token: SeDebugPrivilege 2028 MSBuild.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
AWB#5305323204669,pdf.exedescription pid process target process PID 1856 wrote to memory of 1164 1856 AWB#5305323204669,pdf.exe schtasks.exe PID 1856 wrote to memory of 1164 1856 AWB#5305323204669,pdf.exe schtasks.exe PID 1856 wrote to memory of 1164 1856 AWB#5305323204669,pdf.exe schtasks.exe PID 1856 wrote to memory of 1164 1856 AWB#5305323204669,pdf.exe schtasks.exe PID 1856 wrote to memory of 2028 1856 AWB#5305323204669,pdf.exe MSBuild.exe PID 1856 wrote to memory of 2028 1856 AWB#5305323204669,pdf.exe MSBuild.exe PID 1856 wrote to memory of 2028 1856 AWB#5305323204669,pdf.exe MSBuild.exe PID 1856 wrote to memory of 2028 1856 AWB#5305323204669,pdf.exe MSBuild.exe PID 1856 wrote to memory of 2028 1856 AWB#5305323204669,pdf.exe MSBuild.exe PID 1856 wrote to memory of 2028 1856 AWB#5305323204669,pdf.exe MSBuild.exe PID 1856 wrote to memory of 2028 1856 AWB#5305323204669,pdf.exe MSBuild.exe PID 1856 wrote to memory of 2028 1856 AWB#5305323204669,pdf.exe MSBuild.exe PID 1856 wrote to memory of 2028 1856 AWB#5305323204669,pdf.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AWB#5305323204669,pdf.exe"C:\Users\Admin\AppData\Local\Temp\AWB#5305323204669,pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgIKzElqxTk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp94C2.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp94C2.tmpFilesize
1KB
MD50a872137dda6d82f31617b181d00c16d
SHA1151db573298f3432bb0c027553b8ad850ee40f07
SHA25635f76f380b68937a54670f8d92ba3c272bd3d70d6b3c948ecdfe1f5d90232357
SHA512056376c10dbe981ef1056fec43ace839ff61fe57efe3938d9d321cf2b7bb6e98ad3189effac1cc4710586539eedc956be3dd0afd72175c7193d9adde82f0e3aa
-
memory/1164-58-0x0000000000000000-mapping.dmp
-
memory/1856-54-0x00000000012F0000-0x0000000001330000-memory.dmpFilesize
256KB
-
memory/1856-55-0x0000000075CE1000-0x0000000075CE3000-memory.dmpFilesize
8KB
-
memory/1856-56-0x00000000004B0000-0x00000000004B8000-memory.dmpFilesize
32KB
-
memory/1856-57-0x0000000000B40000-0x0000000000B58000-memory.dmpFilesize
96KB
-
memory/2028-60-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2028-61-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2028-63-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2028-64-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2028-65-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2028-66-0x000000000040C73E-mapping.dmp
-
memory/2028-68-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2028-70-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB