Analysis
-
max time kernel
186s -
max time network
199s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07-07-2022 20:01
Static task
static1
Behavioral task
behavioral1
Sample
a67e24a8575521f3eb6601dd6c2de85f.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
a67e24a8575521f3eb6601dd6c2de85f.exe
Resource
win10v2004-20220414-en
General
-
Target
a67e24a8575521f3eb6601dd6c2de85f.exe
-
Size
1.1MB
-
MD5
a67e24a8575521f3eb6601dd6c2de85f
-
SHA1
4f7e56953e1e47397c277fd23487c3e29932ca55
-
SHA256
00bcbf44a3a8dfdd43324ad3dc7a868049bc1856237d97307cc1bbec2ce68ffe
-
SHA512
7ca3482f8ea42fc0554b23d21e277f0d7edaf44a0ba08606bf02af86328d5a1ad18917b47fa3f111c68ab2e267954eb8fccc9b404cf3c1433baf312a80a9c01c
Malware Config
Extracted
asyncrat
0.5.7B
Default
luispereiralora09.con-ip.com:1990
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
-
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/364-141-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a67e24a8575521f3eb6601dd6c2de85f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation a67e24a8575521f3eb6601dd6c2de85f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
a67e24a8575521f3eb6601dd6c2de85f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pefyap = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ajzyz\\Pefyap.exe\"" a67e24a8575521f3eb6601dd6c2de85f.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a67e24a8575521f3eb6601dd6c2de85f.exedescription pid process target process PID 3264 set thread context of 364 3264 a67e24a8575521f3eb6601dd6c2de85f.exe InstallUtil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exea67e24a8575521f3eb6601dd6c2de85f.exepid process 916 powershell.exe 916 powershell.exe 3264 a67e24a8575521f3eb6601dd6c2de85f.exe 3264 a67e24a8575521f3eb6601dd6c2de85f.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
a67e24a8575521f3eb6601dd6c2de85f.exepowershell.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 3264 a67e24a8575521f3eb6601dd6c2de85f.exe Token: SeDebugPrivilege 916 powershell.exe Token: SeDebugPrivilege 364 InstallUtil.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
a67e24a8575521f3eb6601dd6c2de85f.exedescription pid process target process PID 3264 wrote to memory of 916 3264 a67e24a8575521f3eb6601dd6c2de85f.exe powershell.exe PID 3264 wrote to memory of 916 3264 a67e24a8575521f3eb6601dd6c2de85f.exe powershell.exe PID 3264 wrote to memory of 916 3264 a67e24a8575521f3eb6601dd6c2de85f.exe powershell.exe PID 3264 wrote to memory of 364 3264 a67e24a8575521f3eb6601dd6c2de85f.exe InstallUtil.exe PID 3264 wrote to memory of 364 3264 a67e24a8575521f3eb6601dd6c2de85f.exe InstallUtil.exe PID 3264 wrote to memory of 364 3264 a67e24a8575521f3eb6601dd6c2de85f.exe InstallUtil.exe PID 3264 wrote to memory of 364 3264 a67e24a8575521f3eb6601dd6c2de85f.exe InstallUtil.exe PID 3264 wrote to memory of 364 3264 a67e24a8575521f3eb6601dd6c2de85f.exe InstallUtil.exe PID 3264 wrote to memory of 364 3264 a67e24a8575521f3eb6601dd6c2de85f.exe InstallUtil.exe PID 3264 wrote to memory of 364 3264 a67e24a8575521f3eb6601dd6c2de85f.exe InstallUtil.exe PID 3264 wrote to memory of 364 3264 a67e24a8575521f3eb6601dd6c2de85f.exe InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a67e24a8575521f3eb6601dd6c2de85f.exe"C:\Users\Admin\AppData\Local\Temp\a67e24a8575521f3eb6601dd6c2de85f.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/364-140-0x0000000000000000-mapping.dmp
-
memory/364-143-0x0000000006250000-0x00000000067F4000-memory.dmpFilesize
5.6MB
-
memory/364-142-0x0000000005C00000-0x0000000005C9C000-memory.dmpFilesize
624KB
-
memory/364-141-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/916-136-0x00000000058F0000-0x0000000005956000-memory.dmpFilesize
408KB
-
memory/916-135-0x0000000005880000-0x00000000058E6000-memory.dmpFilesize
408KB
-
memory/916-137-0x0000000005700000-0x000000000571E000-memory.dmpFilesize
120KB
-
memory/916-138-0x0000000007440000-0x0000000007ABA000-memory.dmpFilesize
6.5MB
-
memory/916-139-0x00000000062A0000-0x00000000062BA000-memory.dmpFilesize
104KB
-
memory/916-134-0x0000000005780000-0x00000000057A2000-memory.dmpFilesize
136KB
-
memory/916-133-0x0000000004F70000-0x0000000005598000-memory.dmpFilesize
6.2MB
-
memory/916-132-0x0000000002840000-0x0000000002876000-memory.dmpFilesize
216KB
-
memory/916-131-0x0000000000000000-mapping.dmp
-
memory/3264-130-0x0000000000BF0000-0x0000000000D18000-memory.dmpFilesize
1.2MB