Analysis
-
max time kernel
133s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
30-06-2022 23:35
Static task
static1
Behavioral task
behavioral1
Sample
c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d.exe
Resource
win10v2004-20220414-en
General
-
Target
c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d.exe
-
Size
9.2MB
-
MD5
8b5037f5be44b50fd1ec4c8b089dd6a4
-
SHA1
e5aaa6222b7c3347224feeed3c237a4d19039a4c
-
SHA256
c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d
-
SHA512
508409fe3e0cb07231b79b15f49f8de008e21f2e156afc9c979c45af4e0193cf79ac4faebf94830ab7d7db355328560f1c6f7549478d3d1038408897dc508bc1
Malware Config
Extracted
asyncrat
0.5.7B
Default
eds.edspeck.org:7707
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/980-74-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/980-75-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/980-76-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/980-77-0x000000000040C6AE-mapping.dmp asyncrat behavioral1/memory/980-81-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/980-79-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
Processes:
App Update.exepid process 1276 App Update.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 844 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "C:\\Users\\Admin\\AppData\\Roaming\\App Update.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
App Update.exedescription pid process target process PID 1276 set thread context of 980 1276 App Update.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d.exeApp Update.exepid process 1956 c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d.exe 1276 App Update.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d.exeApp Update.exedescription pid process Token: SeDebugPrivilege 1956 c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d.exe Token: SeDebugPrivilege 1276 App Update.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d.execmd.exeApp Update.execmd.exedescription pid process target process PID 1956 wrote to memory of 388 1956 c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d.exe cmd.exe PID 1956 wrote to memory of 388 1956 c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d.exe cmd.exe PID 1956 wrote to memory of 388 1956 c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d.exe cmd.exe PID 1956 wrote to memory of 388 1956 c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d.exe cmd.exe PID 1956 wrote to memory of 844 1956 c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d.exe cmd.exe PID 1956 wrote to memory of 844 1956 c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d.exe cmd.exe PID 1956 wrote to memory of 844 1956 c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d.exe cmd.exe PID 1956 wrote to memory of 844 1956 c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d.exe cmd.exe PID 844 wrote to memory of 1276 844 cmd.exe App Update.exe PID 844 wrote to memory of 1276 844 cmd.exe App Update.exe PID 844 wrote to memory of 1276 844 cmd.exe App Update.exe PID 844 wrote to memory of 1276 844 cmd.exe App Update.exe PID 844 wrote to memory of 1276 844 cmd.exe App Update.exe PID 844 wrote to memory of 1276 844 cmd.exe App Update.exe PID 844 wrote to memory of 1276 844 cmd.exe App Update.exe PID 1276 wrote to memory of 1996 1276 App Update.exe cmd.exe PID 1276 wrote to memory of 1996 1276 App Update.exe cmd.exe PID 1276 wrote to memory of 1996 1276 App Update.exe cmd.exe PID 1276 wrote to memory of 1996 1276 App Update.exe cmd.exe PID 1996 wrote to memory of 1892 1996 cmd.exe reg.exe PID 1996 wrote to memory of 1892 1996 cmd.exe reg.exe PID 1996 wrote to memory of 1892 1996 cmd.exe reg.exe PID 1996 wrote to memory of 1892 1996 cmd.exe reg.exe PID 1276 wrote to memory of 980 1276 App Update.exe RegAsm.exe PID 1276 wrote to memory of 980 1276 App Update.exe RegAsm.exe PID 1276 wrote to memory of 980 1276 App Update.exe RegAsm.exe PID 1276 wrote to memory of 980 1276 App Update.exe RegAsm.exe PID 1276 wrote to memory of 980 1276 App Update.exe RegAsm.exe PID 1276 wrote to memory of 980 1276 App Update.exe RegAsm.exe PID 1276 wrote to memory of 980 1276 App Update.exe RegAsm.exe PID 1276 wrote to memory of 980 1276 App Update.exe RegAsm.exe PID 1276 wrote to memory of 980 1276 App Update.exe RegAsm.exe PID 1276 wrote to memory of 980 1276 App Update.exe RegAsm.exe PID 1276 wrote to memory of 980 1276 App Update.exe RegAsm.exe PID 1276 wrote to memory of 980 1276 App Update.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d.exe"C:\Users\Admin\AppData\Local\Temp\c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d.exe" "C:\Users\Admin\AppData\Roaming\App Update.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\App Update.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\App Update.exe"C:\Users\Admin\AppData\Roaming\App Update.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "RuntimeBroker" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\App Update.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "RuntimeBroker" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\App Update.exe"5⤵
- Adds Run key to start application
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\App Update.exeFilesize
9.2MB
MD58b5037f5be44b50fd1ec4c8b089dd6a4
SHA1e5aaa6222b7c3347224feeed3c237a4d19039a4c
SHA256c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d
SHA512508409fe3e0cb07231b79b15f49f8de008e21f2e156afc9c979c45af4e0193cf79ac4faebf94830ab7d7db355328560f1c6f7549478d3d1038408897dc508bc1
-
C:\Users\Admin\AppData\Roaming\App Update.exeFilesize
9.2MB
MD58b5037f5be44b50fd1ec4c8b089dd6a4
SHA1e5aaa6222b7c3347224feeed3c237a4d19039a4c
SHA256c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d
SHA512508409fe3e0cb07231b79b15f49f8de008e21f2e156afc9c979c45af4e0193cf79ac4faebf94830ab7d7db355328560f1c6f7549478d3d1038408897dc508bc1
-
\Users\Admin\AppData\Roaming\App Update.exeFilesize
9.2MB
MD58b5037f5be44b50fd1ec4c8b089dd6a4
SHA1e5aaa6222b7c3347224feeed3c237a4d19039a4c
SHA256c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d
SHA512508409fe3e0cb07231b79b15f49f8de008e21f2e156afc9c979c45af4e0193cf79ac4faebf94830ab7d7db355328560f1c6f7549478d3d1038408897dc508bc1
-
memory/388-59-0x0000000000000000-mapping.dmp
-
memory/844-60-0x0000000000000000-mapping.dmp
-
memory/980-74-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/980-75-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/980-79-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/980-81-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/980-77-0x000000000040C6AE-mapping.dmp
-
memory/980-76-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/980-71-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/980-72-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1276-63-0x0000000000000000-mapping.dmp
-
memory/1276-65-0x00000000012C0000-0x0000000001BF6000-memory.dmpFilesize
9.2MB
-
memory/1276-67-0x0000000000310000-0x0000000000334000-memory.dmpFilesize
144KB
-
memory/1276-70-0x0000000005070000-0x0000000005082000-memory.dmpFilesize
72KB
-
memory/1892-69-0x0000000000000000-mapping.dmp
-
memory/1956-55-0x00000000761F1000-0x00000000761F3000-memory.dmpFilesize
8KB
-
memory/1956-54-0x0000000000220000-0x0000000000B56000-memory.dmpFilesize
9.2MB
-
memory/1956-58-0x0000000000E30000-0x0000000000E3C000-memory.dmpFilesize
48KB
-
memory/1956-56-0x0000000000D70000-0x0000000000D90000-memory.dmpFilesize
128KB
-
memory/1956-57-0x0000000000DD0000-0x0000000000DF4000-memory.dmpFilesize
144KB
-
memory/1996-68-0x0000000000000000-mapping.dmp