a4a60422374845bf0abd892dd48d352978d697c883196392e0d692f70f0e85c1

General

Target

A4A60422374845BF0ABD892DD48D352978D697C883196.exe
Size

701KB
MD5

1bd98c5b4581aeff9b65ce5653f49cdf
SHA1

3091d81da54ed79391b456e8e94e6b939be2a316
SHA256

a4a60422374845bf0abd892dd48d352978d697c883196392e0d692f70f0e85c1
SHA512

f1462a6d7cfc813cd2ba05d6ccac9656b76ef4ea7418992d1b3b1acdbd779d7b2ab016322f30264c123fea92114a481c1400dc965964731c86974b98922486cc

Score

10^/10

suricata

Malware Config

Signatures

suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata
Executes dropped EXE 1 IoCs

Processes:

syastem.exe

pid process

2388 syastem.exe

pid	process
2388	syastem.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

A4A60422374845BF0ABD892DD48D352978D697C883196.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	A4A60422374845BF0ABD892DD48D352978D697C883196.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2752 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2224 timeout.exe

pid	process
2752	schtasks.exe

pid	process
2224	timeout.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

A4A60422374845BF0ABD892DD48D352978D697C883196.exe

pid	process
4588	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
4588	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
4588	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
4588	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
4588	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
4588	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
4588	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
4588	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
4588	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
4588	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
4588	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
4588	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
4588	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
4588	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
4588	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
4588	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
4588	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
4588	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
4588	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
4588	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
4588	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
4588	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
4588	A4A60422374845BF0ABD892DD48D352978D697C883196.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

A4A60422374845BF0ABD892DD48D352978D697C883196.exesyastem.exe

description pid process

Token: SeDebugPrivilege 4588 A4A60422374845BF0ABD892DD48D352978D697C883196.exe
Token: SeDebugPrivilege 2388 syastem.exe

description	pid	process
Token: SeDebugPrivilege	4588	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
Token: SeDebugPrivilege	2388	syastem.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

A4A60422374845BF0ABD892DD48D352978D697C883196.execmd.execmd.exe

description	pid	process	target process
PID 4588 wrote to memory of 1164	4588	A4A60422374845BF0ABD892DD48D352978D697C883196.exe	cmd.exe
PID 4588 wrote to memory of 1164	4588	A4A60422374845BF0ABD892DD48D352978D697C883196.exe	cmd.exe
PID 4588 wrote to memory of 1164	4588	A4A60422374845BF0ABD892DD48D352978D697C883196.exe	cmd.exe
PID 4588 wrote to memory of 3768	4588	A4A60422374845BF0ABD892DD48D352978D697C883196.exe	cmd.exe
PID 4588 wrote to memory of 3768	4588	A4A60422374845BF0ABD892DD48D352978D697C883196.exe	cmd.exe
PID 4588 wrote to memory of 3768	4588	A4A60422374845BF0ABD892DD48D352978D697C883196.exe	cmd.exe
PID 1164 wrote to memory of 2752	1164	cmd.exe	schtasks.exe
PID 1164 wrote to memory of 2752	1164	cmd.exe	schtasks.exe
PID 1164 wrote to memory of 2752	1164	cmd.exe	schtasks.exe
PID 3768 wrote to memory of 2224	3768	cmd.exe	timeout.exe
PID 3768 wrote to memory of 2224	3768	cmd.exe	timeout.exe
PID 3768 wrote to memory of 2224	3768	cmd.exe	timeout.exe
PID 3768 wrote to memory of 2388	3768	cmd.exe	syastem.exe
PID 3768 wrote to memory of 2388	3768	cmd.exe	syastem.exe
PID 3768 wrote to memory of 2388	3768	cmd.exe	syastem.exe

C:\Users\Admin\AppData\Local\Temp\A4A60422374845BF0ABD892DD48D352978D697C883196.exe
"C:\Users\Admin\AppData\Local\Temp\A4A60422374845BF0ABD892DD48D352978D697C883196.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4588

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /ru system /rl highest /tn A4A60422374845BF0ABD892DD48D352978D697C883196 /tr '"C:\Users\Admin\AppData\Roaming\syastem.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /ru system /rl highest /tn A4A60422374845BF0ABD892DD48D352978D697C883196 /tr '"C:\Users\Admin\AppData\Roaming\syastem.exe"'
3⤵
- Creates scheduled task(s)
PID:2752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1CEE.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:3768

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:2224

C:\Users\Admin\AppData\Roaming\syastem.exe
"C:\Users\Admin\AppData\Roaming\syastem.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2388

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1CEE.tmp.bat
Filesize
151B

MD5
50fad9c0514fb99c3d99fc3879d2160a

SHA1
7d2db9a732f4a9218b2ba0d67e94384e5f57a42e

SHA256
14727941378afdb4263516a7b35c8a592bb70e10fff9aa0f9bd35c40a4a8c7ff

SHA512
81a5a0691b421510232f49a2fb63fd5c5c1fcaaacbacdc88b2ee1158a36715ca983a019608ee9b42c99383b46098cce2678f885fa662e431009f6357b1e9590e

Download Submit
C:\Users\Admin\AppData\Roaming\syastem.exe
Filesize
701KB

MD5
1bd98c5b4581aeff9b65ce5653f49cdf

SHA1
3091d81da54ed79391b456e8e94e6b939be2a316

SHA256
a4a60422374845bf0abd892dd48d352978d697c883196392e0d692f70f0e85c1

SHA512
f1462a6d7cfc813cd2ba05d6ccac9656b76ef4ea7418992d1b3b1acdbd779d7b2ab016322f30264c123fea92114a481c1400dc965964731c86974b98922486cc

Download Submit
C:\Users\Admin\AppData\Roaming\syastem.exe
Filesize
701KB

MD5
1bd98c5b4581aeff9b65ce5653f49cdf

SHA1
3091d81da54ed79391b456e8e94e6b939be2a316

SHA256
a4a60422374845bf0abd892dd48d352978d697c883196392e0d692f70f0e85c1

SHA512
f1462a6d7cfc813cd2ba05d6ccac9656b76ef4ea7418992d1b3b1acdbd779d7b2ab016322f30264c123fea92114a481c1400dc965964731c86974b98922486cc

Download Submit
memory/1164-134-0x0000000000000000-mapping.dmp

Download
memory/2224-138-0x0000000000000000-mapping.dmp

Download
memory/2388-139-0x0000000000000000-mapping.dmp

Download
memory/2388-142-0x0000000005C70000-0x0000000005CD6000-memory.dmp

Filesize
408KB

Download
memory/2752-137-0x0000000000000000-mapping.dmp

Download
memory/3768-135-0x0000000000000000-mapping.dmp

Download
memory/4588-133-0x00000000054C0000-0x0000000005552000-memory.dmp

Filesize
584KB

Download
memory/4588-130-0x0000000000910000-0x00000000009C4000-memory.dmp

Filesize
720KB

Download
memory/4588-132-0x0000000005A70000-0x0000000006014000-memory.dmp

Filesize
5.6MB

Download
memory/4588-131-0x0000000005420000-0x00000000054BC000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads