Analysis
-
max time kernel
154s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
23-05-2022 20:47
Static task
static1
Behavioral task
behavioral1
Sample
899add4d120b60a2dad900062baabfc70d6cbb616d9f4a784e850197f580fa84.exe
Resource
win7-20220414-en
General
-
Target
899add4d120b60a2dad900062baabfc70d6cbb616d9f4a784e850197f580fa84.exe
-
Size
385KB
-
MD5
2a51a997488380da1de20ea4d0050be9
-
SHA1
27e0c00423195325b5f38cc7060bc4060b520969
-
SHA256
899add4d120b60a2dad900062baabfc70d6cbb616d9f4a784e850197f580fa84
-
SHA512
64cbb33704c4be470be12087a1bd76d4fa32d1b5814afa6afa1429ab574ed2cae7bcf5743cad1668be584271281028b81ca2a1f408555bf2ce5977a8d82d2086
Malware Config
Extracted
asyncrat
0.5.6B
5
moveforme.ug:6970
xafsavxcfdgbdsfg.ru:6970
tralala
-
delay
0
-
install
false
-
install_file
dllhost.exe
-
install_folder
%AppData%
Signatures
-
suricata: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses
suricata: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4076-138-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
899add4d120b60a2dad900062baabfc70d6cbb616d9f4a784e850197f580fa84.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 899add4d120b60a2dad900062baabfc70d6cbb616d9f4a784e850197f580fa84.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
899add4d120b60a2dad900062baabfc70d6cbb616d9f4a784e850197f580fa84.exedescription pid process target process PID 3304 set thread context of 4076 3304 899add4d120b60a2dad900062baabfc70d6cbb616d9f4a784e850197f580fa84.exe 899add4d120b60a2dad900062baabfc70d6cbb616d9f4a784e850197f580fa84.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
899add4d120b60a2dad900062baabfc70d6cbb616d9f4a784e850197f580fa84.exedescription pid process target process PID 3304 wrote to memory of 4416 3304 899add4d120b60a2dad900062baabfc70d6cbb616d9f4a784e850197f580fa84.exe schtasks.exe PID 3304 wrote to memory of 4416 3304 899add4d120b60a2dad900062baabfc70d6cbb616d9f4a784e850197f580fa84.exe schtasks.exe PID 3304 wrote to memory of 4416 3304 899add4d120b60a2dad900062baabfc70d6cbb616d9f4a784e850197f580fa84.exe schtasks.exe PID 3304 wrote to memory of 4076 3304 899add4d120b60a2dad900062baabfc70d6cbb616d9f4a784e850197f580fa84.exe 899add4d120b60a2dad900062baabfc70d6cbb616d9f4a784e850197f580fa84.exe PID 3304 wrote to memory of 4076 3304 899add4d120b60a2dad900062baabfc70d6cbb616d9f4a784e850197f580fa84.exe 899add4d120b60a2dad900062baabfc70d6cbb616d9f4a784e850197f580fa84.exe PID 3304 wrote to memory of 4076 3304 899add4d120b60a2dad900062baabfc70d6cbb616d9f4a784e850197f580fa84.exe 899add4d120b60a2dad900062baabfc70d6cbb616d9f4a784e850197f580fa84.exe PID 3304 wrote to memory of 4076 3304 899add4d120b60a2dad900062baabfc70d6cbb616d9f4a784e850197f580fa84.exe 899add4d120b60a2dad900062baabfc70d6cbb616d9f4a784e850197f580fa84.exe PID 3304 wrote to memory of 4076 3304 899add4d120b60a2dad900062baabfc70d6cbb616d9f4a784e850197f580fa84.exe 899add4d120b60a2dad900062baabfc70d6cbb616d9f4a784e850197f580fa84.exe PID 3304 wrote to memory of 4076 3304 899add4d120b60a2dad900062baabfc70d6cbb616d9f4a784e850197f580fa84.exe 899add4d120b60a2dad900062baabfc70d6cbb616d9f4a784e850197f580fa84.exe PID 3304 wrote to memory of 4076 3304 899add4d120b60a2dad900062baabfc70d6cbb616d9f4a784e850197f580fa84.exe 899add4d120b60a2dad900062baabfc70d6cbb616d9f4a784e850197f580fa84.exe PID 3304 wrote to memory of 4076 3304 899add4d120b60a2dad900062baabfc70d6cbb616d9f4a784e850197f580fa84.exe 899add4d120b60a2dad900062baabfc70d6cbb616d9f4a784e850197f580fa84.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\899add4d120b60a2dad900062baabfc70d6cbb616d9f4a784e850197f580fa84.exe"C:\Users\Admin\AppData\Local\Temp\899add4d120b60a2dad900062baabfc70d6cbb616d9f4a784e850197f580fa84.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ptphWBVV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA3A7.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\899add4d120b60a2dad900062baabfc70d6cbb616d9f4a784e850197f580fa84.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\899add4d120b60a2dad900062baabfc70d6cbb616d9f4a784e850197f580fa84.exe.logFilesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
C:\Users\Admin\AppData\Local\Temp\tmpA3A7.tmpFilesize
1KB
MD57dee6a2bf6c714bfd1853bf49720d01e
SHA11a9d98de21f3fa0517b2aeffa462371f2cd223b4
SHA2561946cd357e6124fafc8b4a7240e5e74569eed6f2da7f6279817892be07f7cc2c
SHA51256f190473d456382c0c13ed8eb49ceb98703660c7aebb8e301531ad2babf9bd427f3ee01217e3d7b1119e70a8a30938cc3f77eff666816fd63c18cf3784c6169
-
memory/3304-130-0x0000000000D60000-0x0000000000DC6000-memory.dmpFilesize
408KB
-
memory/3304-131-0x000000000A180000-0x000000000A724000-memory.dmpFilesize
5.6MB
-
memory/3304-132-0x00000000058F0000-0x0000000005982000-memory.dmpFilesize
584KB
-
memory/3304-133-0x0000000005850000-0x000000000585A000-memory.dmpFilesize
40KB
-
memory/3304-134-0x0000000009F70000-0x000000000A00C000-memory.dmpFilesize
624KB
-
memory/4076-138-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4076-137-0x0000000000000000-mapping.dmp
-
memory/4416-135-0x0000000000000000-mapping.dmp