a4a60422374845bf0abd892dd48d352978d697c883196392e0d692f70f0e85c1

General

Target

A4A60422374845BF0ABD892DD48D352978D697C883196.exe
Size

701KB
MD5

1bd98c5b4581aeff9b65ce5653f49cdf
SHA1

3091d81da54ed79391b456e8e94e6b939be2a316
SHA256

a4a60422374845bf0abd892dd48d352978d697c883196392e0d692f70f0e85c1
SHA512

f1462a6d7cfc813cd2ba05d6ccac9656b76ef4ea7418992d1b3b1acdbd779d7b2ab016322f30264c123fea92114a481c1400dc965964731c86974b98922486cc

Score

10^/10

suricata

Malware Config

Signatures

suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata
Executes dropped EXE 1 IoCs

Processes:

syastem.exe

pid process

2940 syastem.exe

pid	process
2940	syastem.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

A4A60422374845BF0ABD892DD48D352978D697C883196.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	A4A60422374845BF0ABD892DD48D352978D697C883196.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4176 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2904 timeout.exe

pid	process
4176	schtasks.exe

pid	process
2904	timeout.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

A4A60422374845BF0ABD892DD48D352978D697C883196.exe

pid	process
1056	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
1056	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
1056	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
1056	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
1056	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
1056	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
1056	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
1056	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
1056	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
1056	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
1056	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
1056	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
1056	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
1056	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
1056	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
1056	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
1056	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
1056	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
1056	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
1056	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
1056	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
1056	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
1056	A4A60422374845BF0ABD892DD48D352978D697C883196.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

A4A60422374845BF0ABD892DD48D352978D697C883196.exesyastem.exe

description pid process

Token: SeDebugPrivilege 1056 A4A60422374845BF0ABD892DD48D352978D697C883196.exe
Token: SeDebugPrivilege 2940 syastem.exe

description	pid	process
Token: SeDebugPrivilege	1056	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
Token: SeDebugPrivilege	2940	syastem.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

A4A60422374845BF0ABD892DD48D352978D697C883196.execmd.execmd.exe

description	pid	process	target process
PID 1056 wrote to memory of 4216	1056	A4A60422374845BF0ABD892DD48D352978D697C883196.exe	cmd.exe
PID 1056 wrote to memory of 4216	1056	A4A60422374845BF0ABD892DD48D352978D697C883196.exe	cmd.exe
PID 1056 wrote to memory of 4216	1056	A4A60422374845BF0ABD892DD48D352978D697C883196.exe	cmd.exe
PID 1056 wrote to memory of 3000	1056	A4A60422374845BF0ABD892DD48D352978D697C883196.exe	cmd.exe
PID 1056 wrote to memory of 3000	1056	A4A60422374845BF0ABD892DD48D352978D697C883196.exe	cmd.exe
PID 1056 wrote to memory of 3000	1056	A4A60422374845BF0ABD892DD48D352978D697C883196.exe	cmd.exe
PID 4216 wrote to memory of 4176	4216	cmd.exe	schtasks.exe
PID 4216 wrote to memory of 4176	4216	cmd.exe	schtasks.exe
PID 4216 wrote to memory of 4176	4216	cmd.exe	schtasks.exe
PID 3000 wrote to memory of 2904	3000	cmd.exe	timeout.exe
PID 3000 wrote to memory of 2904	3000	cmd.exe	timeout.exe
PID 3000 wrote to memory of 2904	3000	cmd.exe	timeout.exe
PID 3000 wrote to memory of 2940	3000	cmd.exe	syastem.exe
PID 3000 wrote to memory of 2940	3000	cmd.exe	syastem.exe
PID 3000 wrote to memory of 2940	3000	cmd.exe	syastem.exe

C:\Users\Admin\AppData\Local\Temp\A4A60422374845BF0ABD892DD48D352978D697C883196.exe
"C:\Users\Admin\AppData\Local\Temp\A4A60422374845BF0ABD892DD48D352978D697C883196.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /ru system /rl highest /tn A4A60422374845BF0ABD892DD48D352978D697C883196 /tr '"C:\Users\Admin\AppData\Roaming\syastem.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4216

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /ru system /rl highest /tn A4A60422374845BF0ABD892DD48D352978D697C883196 /tr '"C:\Users\Admin\AppData\Roaming\syastem.exe"'
3⤵
- Creates scheduled task(s)
PID:4176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE3CD.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:2904

C:\Users\Admin\AppData\Roaming\syastem.exe
"C:\Users\Admin\AppData\Roaming\syastem.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2940

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE3CD.tmp.bat
Filesize
151B

MD5
cc4454051978efd3736d91594ec93bec

SHA1
f13de765d88822e6289320cb2ba0a63c17037ba9

SHA256
cbb5bc6aa8f22e8c73ed80727459b408381496aff86dcc9714d6739464360b52

SHA512
5c23ca42660f5e75bd1e7fdad38c962bdaeb0e57865ccbc208451b7acc4ed66916686030bae5b896732eebc2be52875ab730c0375640e77c42aa7746d85e7314

Download Submit
C:\Users\Admin\AppData\Roaming\syastem.exe
Filesize
701KB

MD5
1bd98c5b4581aeff9b65ce5653f49cdf

SHA1
3091d81da54ed79391b456e8e94e6b939be2a316

SHA256
a4a60422374845bf0abd892dd48d352978d697c883196392e0d692f70f0e85c1

SHA512
f1462a6d7cfc813cd2ba05d6ccac9656b76ef4ea7418992d1b3b1acdbd779d7b2ab016322f30264c123fea92114a481c1400dc965964731c86974b98922486cc

Download Submit
C:\Users\Admin\AppData\Roaming\syastem.exe
Filesize
701KB

MD5
1bd98c5b4581aeff9b65ce5653f49cdf

SHA1
3091d81da54ed79391b456e8e94e6b939be2a316

SHA256
a4a60422374845bf0abd892dd48d352978d697c883196392e0d692f70f0e85c1

SHA512
f1462a6d7cfc813cd2ba05d6ccac9656b76ef4ea7418992d1b3b1acdbd779d7b2ab016322f30264c123fea92114a481c1400dc965964731c86974b98922486cc

Download Submit
memory/1056-131-0x0000000005080000-0x000000000511C000-memory.dmp

Filesize
624KB

Download
memory/1056-132-0x0000000005770000-0x0000000005D14000-memory.dmp

Filesize
5.6MB

Download
memory/1056-133-0x00000000051C0000-0x0000000005252000-memory.dmp

Filesize
584KB

Download
memory/1056-130-0x0000000000610000-0x00000000006C4000-memory.dmp

Filesize
720KB

Download
memory/2904-138-0x0000000000000000-mapping.dmp

Download
memory/2940-139-0x0000000000000000-mapping.dmp

Download
memory/2940-142-0x0000000005DC0000-0x0000000005E26000-memory.dmp

Filesize
408KB

Download
memory/3000-135-0x0000000000000000-mapping.dmp

Download
memory/4176-136-0x0000000000000000-mapping.dmp

Download
memory/4216-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads