Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
30-06-2022 08:40
Static task
static1
Behavioral task
behavioral1
Sample
ea38cfcc0258377c4feedfc30ed0bbc1.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ea38cfcc0258377c4feedfc30ed0bbc1.exe
Resource
win10v2004-20220414-en
General
-
Target
ea38cfcc0258377c4feedfc30ed0bbc1.exe
-
Size
180KB
-
MD5
ea38cfcc0258377c4feedfc30ed0bbc1
-
SHA1
7b3bbfdffbfdaf8209d30f33c545b54abfd2816f
-
SHA256
1b0a551577b66e5829eabfbdd99459b779d713a127812788ab96f90e08340e64
-
SHA512
3920ac4956040655c0afac75d4030689ae367f324647c70e43a174938bed8a0ae993b417bb21d96a3ca31f631201b7fbfbbf6b89b37814815f51618d0e3928cc
Malware Config
Extracted
asyncrat
1.0.7
Default
62.197.136.195:3333
DcRatMutex_qwqdanchun
-
delay
1
-
install
true
-
install_file
testversion.exe
-
install_folder
%Temp%
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
ea38cfcc0258377c4feedfc30ed0bbc1.exetestversion.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\9Db52or07ibYr5kr\\w7SjyOExCAfd.exe\",explorer.exe" ea38cfcc0258377c4feedfc30ed0bbc1.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\9Db52or07ibYr5kr\\bPVD5EyqpQv0.exe\",explorer.exe" testversion.exe -
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT)
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4636-136-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Executes dropped EXE 2 IoCs
Processes:
testversion.exetestversion.exepid process 2028 testversion.exe 4464 testversion.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ea38cfcc0258377c4feedfc30ed0bbc1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation ea38cfcc0258377c4feedfc30ed0bbc1.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
ea38cfcc0258377c4feedfc30ed0bbc1.exetestversion.exedescription pid process target process PID 3368 set thread context of 4636 3368 ea38cfcc0258377c4feedfc30ed0bbc1.exe ea38cfcc0258377c4feedfc30ed0bbc1.exe PID 2028 set thread context of 4464 2028 testversion.exe testversion.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4552 timeout.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
ea38cfcc0258377c4feedfc30ed0bbc1.exeea38cfcc0258377c4feedfc30ed0bbc1.exetestversion.exepid process 3368 ea38cfcc0258377c4feedfc30ed0bbc1.exe 3368 ea38cfcc0258377c4feedfc30ed0bbc1.exe 3368 ea38cfcc0258377c4feedfc30ed0bbc1.exe 3368 ea38cfcc0258377c4feedfc30ed0bbc1.exe 3368 ea38cfcc0258377c4feedfc30ed0bbc1.exe 3368 ea38cfcc0258377c4feedfc30ed0bbc1.exe 4636 ea38cfcc0258377c4feedfc30ed0bbc1.exe 4636 ea38cfcc0258377c4feedfc30ed0bbc1.exe 4636 ea38cfcc0258377c4feedfc30ed0bbc1.exe 4636 ea38cfcc0258377c4feedfc30ed0bbc1.exe 4636 ea38cfcc0258377c4feedfc30ed0bbc1.exe 4636 ea38cfcc0258377c4feedfc30ed0bbc1.exe 4636 ea38cfcc0258377c4feedfc30ed0bbc1.exe 4636 ea38cfcc0258377c4feedfc30ed0bbc1.exe 4636 ea38cfcc0258377c4feedfc30ed0bbc1.exe 4636 ea38cfcc0258377c4feedfc30ed0bbc1.exe 4636 ea38cfcc0258377c4feedfc30ed0bbc1.exe 4636 ea38cfcc0258377c4feedfc30ed0bbc1.exe 4636 ea38cfcc0258377c4feedfc30ed0bbc1.exe 4636 ea38cfcc0258377c4feedfc30ed0bbc1.exe 4636 ea38cfcc0258377c4feedfc30ed0bbc1.exe 4636 ea38cfcc0258377c4feedfc30ed0bbc1.exe 4636 ea38cfcc0258377c4feedfc30ed0bbc1.exe 4636 ea38cfcc0258377c4feedfc30ed0bbc1.exe 4636 ea38cfcc0258377c4feedfc30ed0bbc1.exe 4636 ea38cfcc0258377c4feedfc30ed0bbc1.exe 4636 ea38cfcc0258377c4feedfc30ed0bbc1.exe 4636 ea38cfcc0258377c4feedfc30ed0bbc1.exe 4636 ea38cfcc0258377c4feedfc30ed0bbc1.exe 2028 testversion.exe 2028 testversion.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
ea38cfcc0258377c4feedfc30ed0bbc1.exeea38cfcc0258377c4feedfc30ed0bbc1.exetestversion.exetestversion.exedescription pid process Token: SeDebugPrivilege 3368 ea38cfcc0258377c4feedfc30ed0bbc1.exe Token: SeDebugPrivilege 3368 ea38cfcc0258377c4feedfc30ed0bbc1.exe Token: SeDebugPrivilege 4636 ea38cfcc0258377c4feedfc30ed0bbc1.exe Token: SeDebugPrivilege 2028 testversion.exe Token: SeDebugPrivilege 2028 testversion.exe Token: SeDebugPrivilege 4464 testversion.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
ea38cfcc0258377c4feedfc30ed0bbc1.exeea38cfcc0258377c4feedfc30ed0bbc1.execmd.execmd.exetestversion.exedescription pid process target process PID 3368 wrote to memory of 976 3368 ea38cfcc0258377c4feedfc30ed0bbc1.exe ea38cfcc0258377c4feedfc30ed0bbc1.exe PID 3368 wrote to memory of 976 3368 ea38cfcc0258377c4feedfc30ed0bbc1.exe ea38cfcc0258377c4feedfc30ed0bbc1.exe PID 3368 wrote to memory of 976 3368 ea38cfcc0258377c4feedfc30ed0bbc1.exe ea38cfcc0258377c4feedfc30ed0bbc1.exe PID 3368 wrote to memory of 4636 3368 ea38cfcc0258377c4feedfc30ed0bbc1.exe ea38cfcc0258377c4feedfc30ed0bbc1.exe PID 3368 wrote to memory of 4636 3368 ea38cfcc0258377c4feedfc30ed0bbc1.exe ea38cfcc0258377c4feedfc30ed0bbc1.exe PID 3368 wrote to memory of 4636 3368 ea38cfcc0258377c4feedfc30ed0bbc1.exe ea38cfcc0258377c4feedfc30ed0bbc1.exe PID 3368 wrote to memory of 4636 3368 ea38cfcc0258377c4feedfc30ed0bbc1.exe ea38cfcc0258377c4feedfc30ed0bbc1.exe PID 3368 wrote to memory of 4636 3368 ea38cfcc0258377c4feedfc30ed0bbc1.exe ea38cfcc0258377c4feedfc30ed0bbc1.exe PID 3368 wrote to memory of 4636 3368 ea38cfcc0258377c4feedfc30ed0bbc1.exe ea38cfcc0258377c4feedfc30ed0bbc1.exe PID 3368 wrote to memory of 4636 3368 ea38cfcc0258377c4feedfc30ed0bbc1.exe ea38cfcc0258377c4feedfc30ed0bbc1.exe PID 3368 wrote to memory of 4636 3368 ea38cfcc0258377c4feedfc30ed0bbc1.exe ea38cfcc0258377c4feedfc30ed0bbc1.exe PID 4636 wrote to memory of 1404 4636 ea38cfcc0258377c4feedfc30ed0bbc1.exe cmd.exe PID 4636 wrote to memory of 1404 4636 ea38cfcc0258377c4feedfc30ed0bbc1.exe cmd.exe PID 4636 wrote to memory of 1404 4636 ea38cfcc0258377c4feedfc30ed0bbc1.exe cmd.exe PID 4636 wrote to memory of 1288 4636 ea38cfcc0258377c4feedfc30ed0bbc1.exe cmd.exe PID 4636 wrote to memory of 1288 4636 ea38cfcc0258377c4feedfc30ed0bbc1.exe cmd.exe PID 4636 wrote to memory of 1288 4636 ea38cfcc0258377c4feedfc30ed0bbc1.exe cmd.exe PID 1288 wrote to memory of 4552 1288 cmd.exe timeout.exe PID 1288 wrote to memory of 4552 1288 cmd.exe timeout.exe PID 1288 wrote to memory of 4552 1288 cmd.exe timeout.exe PID 1404 wrote to memory of 3748 1404 cmd.exe schtasks.exe PID 1404 wrote to memory of 3748 1404 cmd.exe schtasks.exe PID 1404 wrote to memory of 3748 1404 cmd.exe schtasks.exe PID 1288 wrote to memory of 2028 1288 cmd.exe testversion.exe PID 1288 wrote to memory of 2028 1288 cmd.exe testversion.exe PID 1288 wrote to memory of 2028 1288 cmd.exe testversion.exe PID 2028 wrote to memory of 4464 2028 testversion.exe testversion.exe PID 2028 wrote to memory of 4464 2028 testversion.exe testversion.exe PID 2028 wrote to memory of 4464 2028 testversion.exe testversion.exe PID 2028 wrote to memory of 4464 2028 testversion.exe testversion.exe PID 2028 wrote to memory of 4464 2028 testversion.exe testversion.exe PID 2028 wrote to memory of 4464 2028 testversion.exe testversion.exe PID 2028 wrote to memory of 4464 2028 testversion.exe testversion.exe PID 2028 wrote to memory of 4464 2028 testversion.exe testversion.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea38cfcc0258377c4feedfc30ed0bbc1.exe"C:\Users\Admin\AppData\Local\Temp\ea38cfcc0258377c4feedfc30ed0bbc1.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ea38cfcc0258377c4feedfc30ed0bbc1.exe"C:\Users\Admin\AppData\Local\Temp\ea38cfcc0258377c4feedfc30ed0bbc1.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\ea38cfcc0258377c4feedfc30ed0bbc1.exe"C:\Users\Admin\AppData\Local\Temp\ea38cfcc0258377c4feedfc30ed0bbc1.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "testversion" /tr '"C:\Users\Admin\AppData\Local\Temp\testversion.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "testversion" /tr '"C:\Users\Admin\AppData\Local\Temp\testversion.exe"'4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC3C2.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\testversion.exe"C:\Users\Admin\AppData\Local\Temp\testversion.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\testversion.exe"C:\Users\Admin\AppData\Local\Temp\testversion.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\testversion.exeFilesize
180KB
MD5ea38cfcc0258377c4feedfc30ed0bbc1
SHA17b3bbfdffbfdaf8209d30f33c545b54abfd2816f
SHA2561b0a551577b66e5829eabfbdd99459b779d713a127812788ab96f90e08340e64
SHA5123920ac4956040655c0afac75d4030689ae367f324647c70e43a174938bed8a0ae993b417bb21d96a3ca31f631201b7fbfbbf6b89b37814815f51618d0e3928cc
-
C:\Users\Admin\AppData\Local\Temp\testversion.exeFilesize
180KB
MD5ea38cfcc0258377c4feedfc30ed0bbc1
SHA17b3bbfdffbfdaf8209d30f33c545b54abfd2816f
SHA2561b0a551577b66e5829eabfbdd99459b779d713a127812788ab96f90e08340e64
SHA5123920ac4956040655c0afac75d4030689ae367f324647c70e43a174938bed8a0ae993b417bb21d96a3ca31f631201b7fbfbbf6b89b37814815f51618d0e3928cc
-
C:\Users\Admin\AppData\Local\Temp\testversion.exeFilesize
180KB
MD5ea38cfcc0258377c4feedfc30ed0bbc1
SHA17b3bbfdffbfdaf8209d30f33c545b54abfd2816f
SHA2561b0a551577b66e5829eabfbdd99459b779d713a127812788ab96f90e08340e64
SHA5123920ac4956040655c0afac75d4030689ae367f324647c70e43a174938bed8a0ae993b417bb21d96a3ca31f631201b7fbfbbf6b89b37814815f51618d0e3928cc
-
C:\Users\Admin\AppData\Local\Temp\tmpC3C2.tmp.batFilesize
158B
MD557c59605e1a87e04b6e19a5a5bcdffd9
SHA16d90f7cedd2446e3d8bf46e703e7ba6a6ef4dba8
SHA25600f8ff824778e2e0f18b3c6f305c83212e1e0175fa6046379371cc1958522462
SHA5125f8b2b05306a38d4b4dee10b5ead006e2d005c5001786e081ef4a7bbfd644fd9b8cbc02f7b6307f3a3b21de598d308e182acd969fea98ad20b891d233b79d196
-
memory/976-134-0x0000000000000000-mapping.dmp
-
memory/1288-138-0x0000000000000000-mapping.dmp
-
memory/1404-137-0x0000000000000000-mapping.dmp
-
memory/2028-142-0x0000000000000000-mapping.dmp
-
memory/3368-130-0x00000000004B0000-0x00000000004E4000-memory.dmpFilesize
208KB
-
memory/3368-133-0x0000000004E90000-0x0000000004E9A000-memory.dmpFilesize
40KB
-
memory/3368-132-0x0000000004EE0000-0x0000000004F72000-memory.dmpFilesize
584KB
-
memory/3368-131-0x0000000005490000-0x0000000005A34000-memory.dmpFilesize
5.6MB
-
memory/3748-141-0x0000000000000000-mapping.dmp
-
memory/4464-145-0x0000000000000000-mapping.dmp
-
memory/4552-140-0x0000000000000000-mapping.dmp
-
memory/4636-136-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4636-135-0x0000000000000000-mapping.dmp