23e10e6ce7df576f68283f2ceb00b0975170a3ef778161b35e3bbb578b4c7416

Analysis

max time kernel
134s
max time network
146s
platform
windows10_x64
resource
win10-20220414-en
submitted
21-06-2022 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mrkbkdFdag.exe
Size

1.6MB
MD5

cf6e51ffe0d98c19e74880e8ce170a9a
SHA1

2709d62f268d92c5d43aece4bd2089dace55c1ad
SHA256

23e10e6ce7df576f68283f2ceb00b0975170a3ef778161b35e3bbb578b4c7416
SHA512

25ff5c51aea16dc4f2ae5eb70f403eb2d386018297b86d0ccf4fe4dce6929d1409ae831c2721c404e9f58472873ce6e6b87a419b2355aee7fda7773366aab03a

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

casr.execasr.exe

pid process

4044 casr.exe
1800 casr.exe

pid	process
4044	casr.exe
1800	casr.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/216-252-0x0000000000600000-0x00000000009E4000-memory.dmp	upx
behavioral2/memory/2664-382-0x0000000000500000-0x00000000008E4000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

Processes:

mrkbkdFdag.execasr.exe

description	pid	process	target process
PID 1352 set thread context of 216	1352	mrkbkdFdag.exe	RegAsm.exe
PID 4044 set thread context of 2664	4044	casr.exe	RegAsm.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3976 216 WerFault.exe RegAsm.exe
3108 2664 WerFault.exe RegAsm.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2456 schtasks.exe
2216 schtasks.exe

pid	pid_target	process	target process
3976	216	WerFault.exe	RegAsm.exe
3108	2664	WerFault.exe	RegAsm.exe

pid	process
2456	schtasks.exe
2216	schtasks.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

mrkbkdFdag.execmd.execasr.execmd.exe

description	pid	process	target process
PID 1352 wrote to memory of 2320	1352	mrkbkdFdag.exe	cmd.exe
PID 1352 wrote to memory of 2320	1352	mrkbkdFdag.exe	cmd.exe
PID 1352 wrote to memory of 2320	1352	mrkbkdFdag.exe	cmd.exe
PID 2320 wrote to memory of 2456	2320	cmd.exe	schtasks.exe
PID 2320 wrote to memory of 2456	2320	cmd.exe	schtasks.exe
PID 2320 wrote to memory of 2456	2320	cmd.exe	schtasks.exe
PID 1352 wrote to memory of 820	1352	mrkbkdFdag.exe	cmd.exe
PID 1352 wrote to memory of 820	1352	mrkbkdFdag.exe	cmd.exe
PID 1352 wrote to memory of 820	1352	mrkbkdFdag.exe	cmd.exe
PID 1352 wrote to memory of 216	1352	mrkbkdFdag.exe	RegAsm.exe
PID 1352 wrote to memory of 216	1352	mrkbkdFdag.exe	RegAsm.exe
PID 1352 wrote to memory of 216	1352	mrkbkdFdag.exe	RegAsm.exe
PID 1352 wrote to memory of 216	1352	mrkbkdFdag.exe	RegAsm.exe
PID 1352 wrote to memory of 216	1352	mrkbkdFdag.exe	RegAsm.exe
PID 1352 wrote to memory of 216	1352	mrkbkdFdag.exe	RegAsm.exe
PID 1352 wrote to memory of 216	1352	mrkbkdFdag.exe	RegAsm.exe
PID 4044 wrote to memory of 1988	4044	casr.exe	cmd.exe
PID 4044 wrote to memory of 1988	4044	casr.exe	cmd.exe
PID 4044 wrote to memory of 1988	4044	casr.exe	cmd.exe
PID 1988 wrote to memory of 2216	1988	cmd.exe	schtasks.exe
PID 1988 wrote to memory of 2216	1988	cmd.exe	schtasks.exe
PID 1988 wrote to memory of 2216	1988	cmd.exe	schtasks.exe
PID 4044 wrote to memory of 1584	4044	casr.exe	cmd.exe
PID 4044 wrote to memory of 1584	4044	casr.exe	cmd.exe
PID 4044 wrote to memory of 1584	4044	casr.exe	cmd.exe
PID 4044 wrote to memory of 2664	4044	casr.exe	RegAsm.exe
PID 4044 wrote to memory of 2664	4044	casr.exe	RegAsm.exe
PID 4044 wrote to memory of 2664	4044	casr.exe	RegAsm.exe
PID 4044 wrote to memory of 2664	4044	casr.exe	RegAsm.exe
PID 4044 wrote to memory of 2664	4044	casr.exe	RegAsm.exe
PID 4044 wrote to memory of 2664	4044	casr.exe	RegAsm.exe
PID 4044 wrote to memory of 2664	4044	casr.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\mrkbkdFdag.exe
"C:\Users\Admin\AppData\Local\Temp\mrkbkdFdag.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2320

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
3⤵
- Creates scheduled task(s)
PID:2456

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\mrkbkdFdag.exe" "C:\Users\Admin\AppData\Roaming\casr.exe"
2⤵
PID:820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 568
3⤵
- Program crash
PID:3976

C:\Users\Admin\AppData\Roaming\casr.exe
C:\Users\Admin\AppData\Roaming\casr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4044

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
3⤵
- Creates scheduled task(s)
PID:2216

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\casr.exe" "C:\Users\Admin\AppData\Roaming\casr.exe"
2⤵
PID:1584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 576
3⤵
- Program crash
PID:3108

C:\Users\Admin\AppData\Roaming\casr.exe
C:\Users\Admin\AppData\Roaming\casr.exe
1⤵
- Executes dropped EXE
PID:1800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\casr.exe.log
Filesize
520B

MD5
f5a4ac8b07bce81c5d29a6701317315b

SHA1
b2a2b7735c475f5d30a2d94251b4d7c4f511a57e

SHA256
e6a1b02dd813c1f29bfd8361a4fc7ca6f24d2e41d5c3a66258cb66f3cb902f5a

SHA512
83a82932a9395f13e346a5e3e7fd27ed6d5fb6d32b6838107c24318add4c74f199d974d6f33acb0f6aa670a19a544c672f420249c792e336452ad37f304e7dc0

Download Submit
C:\Users\Admin\AppData\Roaming\casr.exe
Filesize
1.6MB

MD5
cf6e51ffe0d98c19e74880e8ce170a9a

SHA1
2709d62f268d92c5d43aece4bd2089dace55c1ad

SHA256
23e10e6ce7df576f68283f2ceb00b0975170a3ef778161b35e3bbb578b4c7416

SHA512
25ff5c51aea16dc4f2ae5eb70f403eb2d386018297b86d0ccf4fe4dce6929d1409ae831c2721c404e9f58472873ce6e6b87a419b2355aee7fda7773366aab03a

Download Submit
C:\Users\Admin\AppData\Roaming\casr.exe
Filesize
1.6MB

MD5
cf6e51ffe0d98c19e74880e8ce170a9a

SHA1
2709d62f268d92c5d43aece4bd2089dace55c1ad

SHA256
23e10e6ce7df576f68283f2ceb00b0975170a3ef778161b35e3bbb578b4c7416

SHA512
25ff5c51aea16dc4f2ae5eb70f403eb2d386018297b86d0ccf4fe4dce6929d1409ae831c2721c404e9f58472873ce6e6b87a419b2355aee7fda7773366aab03a

Download Submit
C:\Users\Admin\AppData\Roaming\casr.exe
Filesize
1.6MB

MD5
cf6e51ffe0d98c19e74880e8ce170a9a

SHA1
2709d62f268d92c5d43aece4bd2089dace55c1ad

SHA256
23e10e6ce7df576f68283f2ceb00b0975170a3ef778161b35e3bbb578b4c7416

SHA512
25ff5c51aea16dc4f2ae5eb70f403eb2d386018297b86d0ccf4fe4dce6929d1409ae831c2721c404e9f58472873ce6e6b87a419b2355aee7fda7773366aab03a

Download Submit
memory/216-209-0x00000000007E2740-mapping.dmp

Download
memory/216-252-0x0000000000600000-0x00000000009E4000-memory.dmp

Filesize
3.9MB

Download
memory/820-194-0x0000000000000000-mapping.dmp

Download
memory/1352-152-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-146-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-121-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-122-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-123-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-124-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-125-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-126-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-127-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-128-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-129-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-130-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-131-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-132-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-133-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-134-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-135-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-136-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-137-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-138-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-139-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-140-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-141-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-142-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-143-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-144-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-145-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-119-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-147-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-148-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-149-0x0000000000820000-0x00000000009B4000-memory.dmp

Filesize
1.6MB

Download
memory/1352-150-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-151-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-118-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-153-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-154-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-156-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-116-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-120-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-158-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-159-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-160-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-161-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-162-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-163-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-164-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-165-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-166-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-167-0x00000000055A0000-0x0000000005716000-memory.dmp

Filesize
1.5MB

Download
memory/1352-193-0x0000000005C20000-0x000000000611E000-memory.dmp

Filesize
5.0MB

Download
memory/1352-117-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-155-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-157-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/1584-332-0x0000000000000000-mapping.dmp

Download
memory/1988-307-0x0000000000000000-mapping.dmp

Download
memory/2216-313-0x0000000000000000-mapping.dmp

Download
memory/2320-172-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/2320-173-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/2320-168-0x0000000000000000-mapping.dmp

Download
memory/2320-169-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/2320-170-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/2320-171-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/2456-179-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/2456-174-0x0000000000000000-mapping.dmp

Download
memory/2456-178-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/2456-175-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/2456-180-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/2456-181-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/2456-182-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/2456-183-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/2456-176-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/2456-177-0x00000000772B0000-0x000000007743E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-382-0x0000000000500000-0x00000000008E4000-memory.dmp

Filesize
3.9MB

Download
memory/2664-339-0x00000000007E2740-mapping.dmp

Download