Analysis
-
max time kernel
128s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
05-07-2022 22:33
Static task
static1
General
-
Target
4e75cb29be96283f4f05a840c4ed6ff23ed3ff24fcf32af2845a5b187261439d.exe
-
Size
502KB
-
MD5
33dad047fbc03f81e8a9e63d99a7efe4
-
SHA1
6f3ae296412b498835b5ab3e9318062f9c7d7f2f
-
SHA256
4e75cb29be96283f4f05a840c4ed6ff23ed3ff24fcf32af2845a5b187261439d
-
SHA512
9b6237231d97b8b3988c0831cf91c74f1c52f2741c319076200159a3bf5db13a4ba0e977c0c45c5df25b5608470c3d482fce36951ab29d4103b4c6441b98e4e6
Malware Config
Extracted
asyncrat
0.5.7B
Default
10.14.204.30:2022
10.14.204.30:2019
10.14.204.30:5631
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4996-142-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4e75cb29be96283f4f05a840c4ed6ff23ed3ff24fcf32af2845a5b187261439d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 4e75cb29be96283f4f05a840c4ed6ff23ed3ff24fcf32af2845a5b187261439d.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
4e75cb29be96283f4f05a840c4ed6ff23ed3ff24fcf32af2845a5b187261439d.exedescription pid process target process PID 4528 set thread context of 4996 4528 4e75cb29be96283f4f05a840c4ed6ff23ed3ff24fcf32af2845a5b187261439d.exe 4e75cb29be96283f4f05a840c4ed6ff23ed3ff24fcf32af2845a5b187261439d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exe4e75cb29be96283f4f05a840c4ed6ff23ed3ff24fcf32af2845a5b187261439d.exepid process 4440 powershell.exe 4440 powershell.exe 4528 4e75cb29be96283f4f05a840c4ed6ff23ed3ff24fcf32af2845a5b187261439d.exe 4528 4e75cb29be96283f4f05a840c4ed6ff23ed3ff24fcf32af2845a5b187261439d.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exe4e75cb29be96283f4f05a840c4ed6ff23ed3ff24fcf32af2845a5b187261439d.exedescription pid process Token: SeDebugPrivilege 4440 powershell.exe Token: SeDebugPrivilege 4528 4e75cb29be96283f4f05a840c4ed6ff23ed3ff24fcf32af2845a5b187261439d.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
4e75cb29be96283f4f05a840c4ed6ff23ed3ff24fcf32af2845a5b187261439d.exedescription pid process target process PID 4528 wrote to memory of 4440 4528 4e75cb29be96283f4f05a840c4ed6ff23ed3ff24fcf32af2845a5b187261439d.exe powershell.exe PID 4528 wrote to memory of 4440 4528 4e75cb29be96283f4f05a840c4ed6ff23ed3ff24fcf32af2845a5b187261439d.exe powershell.exe PID 4528 wrote to memory of 4440 4528 4e75cb29be96283f4f05a840c4ed6ff23ed3ff24fcf32af2845a5b187261439d.exe powershell.exe PID 4528 wrote to memory of 4996 4528 4e75cb29be96283f4f05a840c4ed6ff23ed3ff24fcf32af2845a5b187261439d.exe 4e75cb29be96283f4f05a840c4ed6ff23ed3ff24fcf32af2845a5b187261439d.exe PID 4528 wrote to memory of 4996 4528 4e75cb29be96283f4f05a840c4ed6ff23ed3ff24fcf32af2845a5b187261439d.exe 4e75cb29be96283f4f05a840c4ed6ff23ed3ff24fcf32af2845a5b187261439d.exe PID 4528 wrote to memory of 4996 4528 4e75cb29be96283f4f05a840c4ed6ff23ed3ff24fcf32af2845a5b187261439d.exe 4e75cb29be96283f4f05a840c4ed6ff23ed3ff24fcf32af2845a5b187261439d.exe PID 4528 wrote to memory of 4996 4528 4e75cb29be96283f4f05a840c4ed6ff23ed3ff24fcf32af2845a5b187261439d.exe 4e75cb29be96283f4f05a840c4ed6ff23ed3ff24fcf32af2845a5b187261439d.exe PID 4528 wrote to memory of 4996 4528 4e75cb29be96283f4f05a840c4ed6ff23ed3ff24fcf32af2845a5b187261439d.exe 4e75cb29be96283f4f05a840c4ed6ff23ed3ff24fcf32af2845a5b187261439d.exe PID 4528 wrote to memory of 4996 4528 4e75cb29be96283f4f05a840c4ed6ff23ed3ff24fcf32af2845a5b187261439d.exe 4e75cb29be96283f4f05a840c4ed6ff23ed3ff24fcf32af2845a5b187261439d.exe PID 4528 wrote to memory of 4996 4528 4e75cb29be96283f4f05a840c4ed6ff23ed3ff24fcf32af2845a5b187261439d.exe 4e75cb29be96283f4f05a840c4ed6ff23ed3ff24fcf32af2845a5b187261439d.exe PID 4528 wrote to memory of 4996 4528 4e75cb29be96283f4f05a840c4ed6ff23ed3ff24fcf32af2845a5b187261439d.exe 4e75cb29be96283f4f05a840c4ed6ff23ed3ff24fcf32af2845a5b187261439d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e75cb29be96283f4f05a840c4ed6ff23ed3ff24fcf32af2845a5b187261439d.exe"C:\Users\Admin\AppData\Local\Temp\4e75cb29be96283f4f05a840c4ed6ff23ed3ff24fcf32af2845a5b187261439d.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\4e75cb29be96283f4f05a840c4ed6ff23ed3ff24fcf32af2845a5b187261439d.exeC:\Users\Admin\AppData\Local\Temp\4e75cb29be96283f4f05a840c4ed6ff23ed3ff24fcf32af2845a5b187261439d.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4e75cb29be96283f4f05a840c4ed6ff23ed3ff24fcf32af2845a5b187261439d.exe.logFilesize
921B
MD5cd1832602f786d9cd079570687242b7f
SHA1c3efd7817536baa0400f8defd8bf72b94f3954b9
SHA25667b172ef0e303ff3eaae46d2927e197b636772ab6a359d3e440c8209934f8022
SHA512780150109ca3b56ee1ab94329f828be9cd79506c943cf0549028660541ce8674fd39ca603341504f9ac6e17493a771126a7eb8cfb6966413bd34d94d33ef71e3
-
memory/4440-136-0x0000000004D70000-0x0000000004DD6000-memory.dmpFilesize
408KB
-
memory/4440-132-0x00000000020F0000-0x0000000002126000-memory.dmpFilesize
216KB
-
memory/4440-133-0x0000000004DF0000-0x0000000005418000-memory.dmpFilesize
6.2MB
-
memory/4440-134-0x0000000004A30000-0x0000000004A52000-memory.dmpFilesize
136KB
-
memory/4440-135-0x0000000004B50000-0x0000000004BB6000-memory.dmpFilesize
408KB
-
memory/4440-137-0x0000000005A00000-0x0000000005A1E000-memory.dmpFilesize
120KB
-
memory/4440-138-0x0000000007030000-0x00000000076AA000-memory.dmpFilesize
6.5MB
-
memory/4440-139-0x0000000005F00000-0x0000000005F1A000-memory.dmpFilesize
104KB
-
memory/4440-131-0x0000000000000000-mapping.dmp
-
memory/4528-130-0x0000000000990000-0x0000000000A14000-memory.dmpFilesize
528KB
-
memory/4528-140-0x0000000005F20000-0x0000000005FB2000-memory.dmpFilesize
584KB
-
memory/4996-141-0x0000000000000000-mapping.dmp
-
memory/4996-142-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB