Analysis
-
max time kernel
191s -
max time network
211s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
30-06-2022 23:44
Static task
static1
Behavioral task
behavioral1
Sample
0190d8f34a79387e40de95958d59899ad99dd8bf17810e53502499810aae8aa6.exe
Resource
win7-20220414-en
General
-
Target
0190d8f34a79387e40de95958d59899ad99dd8bf17810e53502499810aae8aa6.exe
-
Size
615KB
-
MD5
707b8e65a6d7458fecc11f6ad9936854
-
SHA1
c32ba8c6988a3dab852f38ccc6423c1d0adfaa72
-
SHA256
0190d8f34a79387e40de95958d59899ad99dd8bf17810e53502499810aae8aa6
-
SHA512
313403eb5ed4dd579d3a2fb74ce6a411b5fe120680756a8679775eb5aabc7179f0e7833917e37594000c71331590ee3bc16298cf58ed4104024f98ccaf5ada80
Malware Config
Extracted
asyncrat
0.5.7B
Default
127.0.0.1:1194
127.0.0.1:61906
minerboy123-61906.portmap.host:1194
minerboy123-61906.portmap.host:61906
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
Windows Explorer.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Tempwinlogon.exe asyncrat C:\Users\Admin\AppData\Local\Tempwinlogon.exe asyncrat behavioral2/memory/5068-135-0x0000000000150000-0x000000000016E000-memory.dmp asyncrat C:\Users\Admin\AppData\Roaming\Windows Explorer.exe asyncrat C:\Users\Admin\AppData\Roaming\Windows Explorer.exe asyncrat -
Executes dropped EXE 2 IoCs
Processes:
Tempwinlogon.exeWindows Explorer.exepid process 5068 Tempwinlogon.exe 360 Windows Explorer.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cscript.exeTempwinlogon.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation cscript.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation Tempwinlogon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1700 timeout.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
Tempwinlogon.exepid process 5068 Tempwinlogon.exe 5068 Tempwinlogon.exe 5068 Tempwinlogon.exe 5068 Tempwinlogon.exe 5068 Tempwinlogon.exe 5068 Tempwinlogon.exe 5068 Tempwinlogon.exe 5068 Tempwinlogon.exe 5068 Tempwinlogon.exe 5068 Tempwinlogon.exe 5068 Tempwinlogon.exe 5068 Tempwinlogon.exe 5068 Tempwinlogon.exe 5068 Tempwinlogon.exe 5068 Tempwinlogon.exe 5068 Tempwinlogon.exe 5068 Tempwinlogon.exe 5068 Tempwinlogon.exe 5068 Tempwinlogon.exe 5068 Tempwinlogon.exe 5068 Tempwinlogon.exe 5068 Tempwinlogon.exe 5068 Tempwinlogon.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Tempwinlogon.exeWindows Explorer.exedescription pid process Token: SeDebugPrivilege 5068 Tempwinlogon.exe Token: SeDebugPrivilege 360 Windows Explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
0190d8f34a79387e40de95958d59899ad99dd8bf17810e53502499810aae8aa6.execscript.exeTempwinlogon.execmd.execmd.exedescription pid process target process PID 3604 wrote to memory of 1780 3604 0190d8f34a79387e40de95958d59899ad99dd8bf17810e53502499810aae8aa6.exe cscript.exe PID 3604 wrote to memory of 1780 3604 0190d8f34a79387e40de95958d59899ad99dd8bf17810e53502499810aae8aa6.exe cscript.exe PID 3604 wrote to memory of 1780 3604 0190d8f34a79387e40de95958d59899ad99dd8bf17810e53502499810aae8aa6.exe cscript.exe PID 1780 wrote to memory of 5068 1780 cscript.exe Tempwinlogon.exe PID 1780 wrote to memory of 5068 1780 cscript.exe Tempwinlogon.exe PID 1780 wrote to memory of 5068 1780 cscript.exe Tempwinlogon.exe PID 5068 wrote to memory of 2148 5068 Tempwinlogon.exe cmd.exe PID 5068 wrote to memory of 2148 5068 Tempwinlogon.exe cmd.exe PID 5068 wrote to memory of 2148 5068 Tempwinlogon.exe cmd.exe PID 5068 wrote to memory of 4500 5068 Tempwinlogon.exe cmd.exe PID 5068 wrote to memory of 4500 5068 Tempwinlogon.exe cmd.exe PID 5068 wrote to memory of 4500 5068 Tempwinlogon.exe cmd.exe PID 2148 wrote to memory of 1412 2148 cmd.exe schtasks.exe PID 2148 wrote to memory of 1412 2148 cmd.exe schtasks.exe PID 2148 wrote to memory of 1412 2148 cmd.exe schtasks.exe PID 4500 wrote to memory of 1700 4500 cmd.exe timeout.exe PID 4500 wrote to memory of 1700 4500 cmd.exe timeout.exe PID 4500 wrote to memory of 1700 4500 cmd.exe timeout.exe PID 4500 wrote to memory of 360 4500 cmd.exe Windows Explorer.exe PID 4500 wrote to memory of 360 4500 cmd.exe Windows Explorer.exe PID 4500 wrote to memory of 360 4500 cmd.exe Windows Explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0190d8f34a79387e40de95958d59899ad99dd8bf17810e53502499810aae8aa6.exe"C:\Users\Admin\AppData\Local\Temp\0190d8f34a79387e40de95958d59899ad99dd8bf17810e53502499810aae8aa6.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.exe"cscript" C:\Users\Admin\AppData\Local\Temp\5D43.tmp\CryptedAsync.vbs2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Tempwinlogon.exe"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Explorer" /tr '"C:\Users\Admin\AppData\Roaming\Windows Explorer.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Windows Explorer" /tr '"C:\Users\Admin\AppData\Roaming\Windows Explorer.exe"'5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD06F.tmp.bat""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\Windows Explorer.exe"C:\Users\Admin\AppData\Roaming\Windows Explorer.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5D43.tmp\CryptedAsync.vbsFilesize
577KB
MD5473198cc93fa0767a9875a4203808f2d
SHA1267435de27e285e312cf90f2f4cd9b46023c5a4f
SHA2564aa4f8345805470d5185327fc06b946f2f690dd983a79343cc3dd7488d6ab9ec
SHA512c3beef74ee7924bfece3418a2522abf87f8051d9022483454ce286789418b36d55fe6d64df29da865faf2ce8f161723d77b9d1a8a058af15a1c60aef36e04308
-
C:\Users\Admin\AppData\Local\Temp\tmpD06F.tmp.batFilesize
160B
MD57577c36df6e5fd7e3e4f3c9281a74888
SHA153a8b5a4d6fa607e154eee67c7b95a63e2e0d679
SHA25637cefef138653b68c1a5e33613b7121bed4539d1998f388c80cd6b9bec71ff9f
SHA51276f0c24550c1e01b1ec673c9f4edc6a07413a8e192320de26af41fe0a95b97767f34eba4e28ba2e091932aad6d21ecc13cda2468e4d53ec7baa6aa03039b98db
-
C:\Users\Admin\AppData\Local\Tempwinlogon.exeFilesize
96KB
MD53437d71b31312c0c0bc33b06fa42741b
SHA138d4338f4aa3eb3a190725d9281f5b972160161a
SHA25662205ec6c648a46c4ad0d1b7a63965f6bd94acda50149478dc05a1f5af6ff215
SHA512b20402563a66c969d4e2251260f9cffa3c8c3a4de1a9c1a16386b681b3b3e78fb8aa294203bb430dc08859ac366a7376d9855128d216179f66fa20eab8ecbf62
-
C:\Users\Admin\AppData\Local\Tempwinlogon.exeFilesize
96KB
MD53437d71b31312c0c0bc33b06fa42741b
SHA138d4338f4aa3eb3a190725d9281f5b972160161a
SHA25662205ec6c648a46c4ad0d1b7a63965f6bd94acda50149478dc05a1f5af6ff215
SHA512b20402563a66c969d4e2251260f9cffa3c8c3a4de1a9c1a16386b681b3b3e78fb8aa294203bb430dc08859ac366a7376d9855128d216179f66fa20eab8ecbf62
-
C:\Users\Admin\AppData\Roaming\Windows Explorer.exeFilesize
96KB
MD53437d71b31312c0c0bc33b06fa42741b
SHA138d4338f4aa3eb3a190725d9281f5b972160161a
SHA25662205ec6c648a46c4ad0d1b7a63965f6bd94acda50149478dc05a1f5af6ff215
SHA512b20402563a66c969d4e2251260f9cffa3c8c3a4de1a9c1a16386b681b3b3e78fb8aa294203bb430dc08859ac366a7376d9855128d216179f66fa20eab8ecbf62
-
C:\Users\Admin\AppData\Roaming\Windows Explorer.exeFilesize
96KB
MD53437d71b31312c0c0bc33b06fa42741b
SHA138d4338f4aa3eb3a190725d9281f5b972160161a
SHA25662205ec6c648a46c4ad0d1b7a63965f6bd94acda50149478dc05a1f5af6ff215
SHA512b20402563a66c969d4e2251260f9cffa3c8c3a4de1a9c1a16386b681b3b3e78fb8aa294203bb430dc08859ac366a7376d9855128d216179f66fa20eab8ecbf62
-
memory/360-143-0x0000000000000000-mapping.dmp
-
memory/1412-140-0x0000000000000000-mapping.dmp
-
memory/1700-142-0x0000000000000000-mapping.dmp
-
memory/1780-130-0x0000000000000000-mapping.dmp
-
memory/2148-138-0x0000000000000000-mapping.dmp
-
memory/4500-139-0x0000000000000000-mapping.dmp
-
memory/5068-137-0x0000000005090000-0x000000000512C000-memory.dmpFilesize
624KB
-
memory/5068-136-0x0000000004C40000-0x0000000004CA6000-memory.dmpFilesize
408KB
-
memory/5068-135-0x0000000000150000-0x000000000016E000-memory.dmpFilesize
120KB
-
memory/5068-132-0x0000000000000000-mapping.dmp