Analysis
-
max time kernel
135s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
05-07-2022 22:29
Static task
static1
Behavioral task
behavioral1
Sample
33dad047fbc03f81e8a9e63d99a7efe4.exe
Resource
win7-20220414-en
General
-
Target
33dad047fbc03f81e8a9e63d99a7efe4.exe
-
Size
502KB
-
MD5
33dad047fbc03f81e8a9e63d99a7efe4
-
SHA1
6f3ae296412b498835b5ab3e9318062f9c7d7f2f
-
SHA256
4e75cb29be96283f4f05a840c4ed6ff23ed3ff24fcf32af2845a5b187261439d
-
SHA512
9b6237231d97b8b3988c0831cf91c74f1c52f2741c319076200159a3bf5db13a4ba0e977c0c45c5df25b5608470c3d482fce36951ab29d4103b4c6441b98e4e6
Malware Config
Extracted
asyncrat
0.5.7B
Default
10.14.204.30:2022
10.14.204.30:2019
10.14.204.30:5631
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3956-142-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
33dad047fbc03f81e8a9e63d99a7efe4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 33dad047fbc03f81e8a9e63d99a7efe4.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
33dad047fbc03f81e8a9e63d99a7efe4.exedescription pid process target process PID 3116 set thread context of 3956 3116 33dad047fbc03f81e8a9e63d99a7efe4.exe 33dad047fbc03f81e8a9e63d99a7efe4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exe33dad047fbc03f81e8a9e63d99a7efe4.exepid process 4268 powershell.exe 4268 powershell.exe 3116 33dad047fbc03f81e8a9e63d99a7efe4.exe 3116 33dad047fbc03f81e8a9e63d99a7efe4.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exe33dad047fbc03f81e8a9e63d99a7efe4.exedescription pid process Token: SeDebugPrivilege 4268 powershell.exe Token: SeDebugPrivilege 3116 33dad047fbc03f81e8a9e63d99a7efe4.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
33dad047fbc03f81e8a9e63d99a7efe4.exedescription pid process target process PID 3116 wrote to memory of 4268 3116 33dad047fbc03f81e8a9e63d99a7efe4.exe powershell.exe PID 3116 wrote to memory of 4268 3116 33dad047fbc03f81e8a9e63d99a7efe4.exe powershell.exe PID 3116 wrote to memory of 4268 3116 33dad047fbc03f81e8a9e63d99a7efe4.exe powershell.exe PID 3116 wrote to memory of 3956 3116 33dad047fbc03f81e8a9e63d99a7efe4.exe 33dad047fbc03f81e8a9e63d99a7efe4.exe PID 3116 wrote to memory of 3956 3116 33dad047fbc03f81e8a9e63d99a7efe4.exe 33dad047fbc03f81e8a9e63d99a7efe4.exe PID 3116 wrote to memory of 3956 3116 33dad047fbc03f81e8a9e63d99a7efe4.exe 33dad047fbc03f81e8a9e63d99a7efe4.exe PID 3116 wrote to memory of 3956 3116 33dad047fbc03f81e8a9e63d99a7efe4.exe 33dad047fbc03f81e8a9e63d99a7efe4.exe PID 3116 wrote to memory of 3956 3116 33dad047fbc03f81e8a9e63d99a7efe4.exe 33dad047fbc03f81e8a9e63d99a7efe4.exe PID 3116 wrote to memory of 3956 3116 33dad047fbc03f81e8a9e63d99a7efe4.exe 33dad047fbc03f81e8a9e63d99a7efe4.exe PID 3116 wrote to memory of 3956 3116 33dad047fbc03f81e8a9e63d99a7efe4.exe 33dad047fbc03f81e8a9e63d99a7efe4.exe PID 3116 wrote to memory of 3956 3116 33dad047fbc03f81e8a9e63d99a7efe4.exe 33dad047fbc03f81e8a9e63d99a7efe4.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\33dad047fbc03f81e8a9e63d99a7efe4.exe"C:\Users\Admin\AppData\Local\Temp\33dad047fbc03f81e8a9e63d99a7efe4.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\33dad047fbc03f81e8a9e63d99a7efe4.exeC:\Users\Admin\AppData\Local\Temp\33dad047fbc03f81e8a9e63d99a7efe4.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\33dad047fbc03f81e8a9e63d99a7efe4.exe.logFilesize
921B
MD5cd1832602f786d9cd079570687242b7f
SHA1c3efd7817536baa0400f8defd8bf72b94f3954b9
SHA25667b172ef0e303ff3eaae46d2927e197b636772ab6a359d3e440c8209934f8022
SHA512780150109ca3b56ee1ab94329f828be9cd79506c943cf0549028660541ce8674fd39ca603341504f9ac6e17493a771126a7eb8cfb6966413bd34d94d33ef71e3
-
memory/3116-130-0x0000000000770000-0x00000000007F4000-memory.dmpFilesize
528KB
-
memory/3116-140-0x0000000005CF0000-0x0000000005D82000-memory.dmpFilesize
584KB
-
memory/3956-142-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3956-141-0x0000000000000000-mapping.dmp
-
memory/4268-136-0x0000000005D90000-0x0000000005DF6000-memory.dmpFilesize
408KB
-
memory/4268-135-0x0000000005CB0000-0x0000000005D16000-memory.dmpFilesize
408KB
-
memory/4268-137-0x0000000006250000-0x000000000626E000-memory.dmpFilesize
120KB
-
memory/4268-138-0x0000000007A90000-0x000000000810A000-memory.dmpFilesize
6.5MB
-
memory/4268-139-0x0000000006750000-0x000000000676A000-memory.dmpFilesize
104KB
-
memory/4268-134-0x0000000005AD0000-0x0000000005AF2000-memory.dmpFilesize
136KB
-
memory/4268-133-0x0000000005350000-0x0000000005978000-memory.dmpFilesize
6.2MB
-
memory/4268-132-0x0000000004CD0000-0x0000000004D06000-memory.dmpFilesize
216KB
-
memory/4268-131-0x0000000000000000-mapping.dmp