Analysis
-
max time kernel
147s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
30-06-2022 23:35
Static task
static1
Behavioral task
behavioral1
Sample
c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d.exe
Resource
win10v2004-20220414-en
General
-
Target
c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d.exe
-
Size
9.2MB
-
MD5
8b5037f5be44b50fd1ec4c8b089dd6a4
-
SHA1
e5aaa6222b7c3347224feeed3c237a4d19039a4c
-
SHA256
c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d
-
SHA512
508409fe3e0cb07231b79b15f49f8de008e21f2e156afc9c979c45af4e0193cf79ac4faebf94830ab7d7db355328560f1c6f7549478d3d1038408897dc508bc1
Malware Config
Extracted
asyncrat
0.5.7B
Default
eds.edspeck.org:7707
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2300-148-0x0000000000620000-0x0000000000632000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
Processes:
App Update.exepid process 4464 App Update.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d.exeApp Update.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation App Update.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "C:\\Users\\Admin\\AppData\\Roaming\\App Update.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
App Update.exedescription pid process target process PID 4464 set thread context of 2300 4464 App Update.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d.exeApp Update.exepid process 3092 c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d.exe 4464 App Update.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d.exeApp Update.exedescription pid process Token: SeDebugPrivilege 3092 c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d.exe Token: SeDebugPrivilege 4464 App Update.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d.execmd.exeApp Update.execmd.exedescription pid process target process PID 3092 wrote to memory of 2716 3092 c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d.exe cmd.exe PID 3092 wrote to memory of 2716 3092 c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d.exe cmd.exe PID 3092 wrote to memory of 2716 3092 c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d.exe cmd.exe PID 3092 wrote to memory of 3412 3092 c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d.exe cmd.exe PID 3092 wrote to memory of 3412 3092 c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d.exe cmd.exe PID 3092 wrote to memory of 3412 3092 c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d.exe cmd.exe PID 3412 wrote to memory of 4464 3412 cmd.exe App Update.exe PID 3412 wrote to memory of 4464 3412 cmd.exe App Update.exe PID 3412 wrote to memory of 4464 3412 cmd.exe App Update.exe PID 4464 wrote to memory of 4700 4464 App Update.exe cmd.exe PID 4464 wrote to memory of 4700 4464 App Update.exe cmd.exe PID 4464 wrote to memory of 4700 4464 App Update.exe cmd.exe PID 4700 wrote to memory of 4196 4700 cmd.exe reg.exe PID 4700 wrote to memory of 4196 4700 cmd.exe reg.exe PID 4700 wrote to memory of 4196 4700 cmd.exe reg.exe PID 4464 wrote to memory of 2300 4464 App Update.exe RegAsm.exe PID 4464 wrote to memory of 2300 4464 App Update.exe RegAsm.exe PID 4464 wrote to memory of 2300 4464 App Update.exe RegAsm.exe PID 4464 wrote to memory of 2300 4464 App Update.exe RegAsm.exe PID 4464 wrote to memory of 2300 4464 App Update.exe RegAsm.exe PID 4464 wrote to memory of 2300 4464 App Update.exe RegAsm.exe PID 4464 wrote to memory of 2300 4464 App Update.exe RegAsm.exe PID 4464 wrote to memory of 2300 4464 App Update.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d.exe"C:\Users\Admin\AppData\Local\Temp\c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d.exe" "C:\Users\Admin\AppData\Roaming\App Update.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\App Update.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\App Update.exe"C:\Users\Admin\AppData\Roaming\App Update.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "RuntimeBroker" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\App Update.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "RuntimeBroker" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\App Update.exe"5⤵
- Adds Run key to start application
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\App Update.exeFilesize
9.2MB
MD58b5037f5be44b50fd1ec4c8b089dd6a4
SHA1e5aaa6222b7c3347224feeed3c237a4d19039a4c
SHA256c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d
SHA512508409fe3e0cb07231b79b15f49f8de008e21f2e156afc9c979c45af4e0193cf79ac4faebf94830ab7d7db355328560f1c6f7549478d3d1038408897dc508bc1
-
C:\Users\Admin\AppData\Roaming\App Update.exeFilesize
9.2MB
MD58b5037f5be44b50fd1ec4c8b089dd6a4
SHA1e5aaa6222b7c3347224feeed3c237a4d19039a4c
SHA256c3ecf46a0d8bcdeadcc4de5d1e04412a8bd3a4c8bfd00ed55c44edf7e014021d
SHA512508409fe3e0cb07231b79b15f49f8de008e21f2e156afc9c979c45af4e0193cf79ac4faebf94830ab7d7db355328560f1c6f7549478d3d1038408897dc508bc1
-
memory/2300-148-0x0000000000620000-0x0000000000632000-memory.dmpFilesize
72KB
-
memory/2300-146-0x0000000000000000-mapping.dmp
-
memory/2716-138-0x0000000000000000-mapping.dmp
-
memory/3092-134-0x000000000AB20000-0x000000000AB86000-memory.dmpFilesize
408KB
-
memory/3092-136-0x000000000BA70000-0x000000000BF9C000-memory.dmpFilesize
5.2MB
-
memory/3092-137-0x000000000B2F0000-0x000000000B312000-memory.dmpFilesize
136KB
-
memory/3092-130-0x0000000000220000-0x0000000000B56000-memory.dmpFilesize
9.2MB
-
memory/3092-135-0x000000000B370000-0x000000000B532000-memory.dmpFilesize
1.8MB
-
memory/3092-133-0x0000000007E40000-0x0000000007ED2000-memory.dmpFilesize
584KB
-
memory/3092-132-0x00000000082F0000-0x0000000008894000-memory.dmpFilesize
5.6MB
-
memory/3092-131-0x0000000005530000-0x00000000055CC000-memory.dmpFilesize
624KB
-
memory/3412-139-0x0000000000000000-mapping.dmp
-
memory/4196-144-0x0000000000000000-mapping.dmp
-
memory/4464-140-0x0000000000000000-mapping.dmp
-
memory/4464-145-0x000000000A7F0000-0x000000000A812000-memory.dmpFilesize
136KB
-
memory/4700-143-0x0000000000000000-mapping.dmp