Analysis
-
max time kernel
140s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
19-07-2022 17:14
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220718-en
General
-
Target
tmp.exe
-
Size
479KB
-
MD5
4c6b01344809054252095695fe24aa5f
-
SHA1
d1571b19723ebb0def5a71b7d977ef4c5bdb66ab
-
SHA256
b20bdd03ad605edafccbed9cbf281d1fd370116dd07e335fc2f428e9efb2863b
-
SHA512
a26600e8233e90034a3a731246bdc634bc30478ea995c37317ef2e8139200f09446c4b78b500ffec5d7a84045790d0e80d20e4ba58cf28f0e4358f80e1db3af0
Malware Config
Extracted
asyncrat
0.5.7B
Default
secureyourdataarea1.duckdns.org:56390
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_file
svchost.exe
-
install_folder
%AppData%
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
tmp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" tmp.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Async RAT payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1176-75-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1176-73-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1176-70-0x000000000040C74E-mapping.dmp asyncrat behavioral1/memory/1176-69-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1176-68-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1176-67-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
tmp.exetmp.exepid process 2024 tmp.exe 1176 tmp.exe -
Loads dropped DLL 3 IoCs
Processes:
tmp.exetmp.exepid process 1072 tmp.exe 1072 tmp.exe 2024 tmp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
tmp.exedescription pid process target process PID 2024 set thread context of 1176 2024 tmp.exe tmp.exe -
Drops file in Program Files directory 64 IoCs
Processes:
tmp.exedescription ioc process File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE tmp.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE tmp.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe tmp.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe tmp.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE tmp.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE tmp.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE tmp.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE tmp.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe tmp.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe tmp.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe tmp.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe tmp.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE tmp.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe tmp.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE tmp.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE tmp.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE tmp.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE tmp.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe tmp.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe tmp.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE tmp.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE tmp.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE tmp.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE tmp.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE tmp.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe tmp.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe tmp.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE tmp.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE tmp.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE tmp.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe tmp.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE tmp.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE tmp.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE tmp.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE tmp.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe tmp.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE tmp.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE tmp.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe tmp.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE tmp.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE tmp.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe tmp.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe tmp.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE tmp.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE tmp.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE tmp.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE tmp.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe tmp.exe -
Drops file in Windows directory 1 IoCs
Processes:
tmp.exedescription ioc process File opened for modification C:\Windows\svchost.com tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
tmp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tmp.exetmp.exedescription pid process Token: SeDebugPrivilege 2024 tmp.exe Token: SeDebugPrivilege 1176 tmp.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
tmp.exetmp.exedescription pid process target process PID 1072 wrote to memory of 2024 1072 tmp.exe tmp.exe PID 1072 wrote to memory of 2024 1072 tmp.exe tmp.exe PID 1072 wrote to memory of 2024 1072 tmp.exe tmp.exe PID 1072 wrote to memory of 2024 1072 tmp.exe tmp.exe PID 2024 wrote to memory of 1176 2024 tmp.exe tmp.exe PID 2024 wrote to memory of 1176 2024 tmp.exe tmp.exe PID 2024 wrote to memory of 1176 2024 tmp.exe tmp.exe PID 2024 wrote to memory of 1176 2024 tmp.exe tmp.exe PID 2024 wrote to memory of 1176 2024 tmp.exe tmp.exe PID 2024 wrote to memory of 1176 2024 tmp.exe tmp.exe PID 2024 wrote to memory of 1176 2024 tmp.exe tmp.exe PID 2024 wrote to memory of 1176 2024 tmp.exe tmp.exe PID 2024 wrote to memory of 1176 2024 tmp.exe tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Users\Admin\AppData\Local\Temp\3582-490\tmp.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\tmp.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\3582-490\tmp.exe03⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1176
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
438KB
MD561f89c90f92b2579d100f2af29f8375b
SHA194b645443699532b764963a6340dc2001de78146
SHA256531a2ee7e49f863969f2e353cfc0d62117d4857c9cf3784fa387c72a9911b757
SHA512fadb57106257333e6e34de9f7a47ca99b1aa628ddb4d973b088a66e3d7d7dda339a680204671bedf96aab68adaeb3797f82c06743dd550eb71d3f850e4214715
-
Filesize
438KB
MD561f89c90f92b2579d100f2af29f8375b
SHA194b645443699532b764963a6340dc2001de78146
SHA256531a2ee7e49f863969f2e353cfc0d62117d4857c9cf3784fa387c72a9911b757
SHA512fadb57106257333e6e34de9f7a47ca99b1aa628ddb4d973b088a66e3d7d7dda339a680204671bedf96aab68adaeb3797f82c06743dd550eb71d3f850e4214715
-
Filesize
438KB
MD561f89c90f92b2579d100f2af29f8375b
SHA194b645443699532b764963a6340dc2001de78146
SHA256531a2ee7e49f863969f2e353cfc0d62117d4857c9cf3784fa387c72a9911b757
SHA512fadb57106257333e6e34de9f7a47ca99b1aa628ddb4d973b088a66e3d7d7dda339a680204671bedf96aab68adaeb3797f82c06743dd550eb71d3f850e4214715
-
Filesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
Filesize
438KB
MD561f89c90f92b2579d100f2af29f8375b
SHA194b645443699532b764963a6340dc2001de78146
SHA256531a2ee7e49f863969f2e353cfc0d62117d4857c9cf3784fa387c72a9911b757
SHA512fadb57106257333e6e34de9f7a47ca99b1aa628ddb4d973b088a66e3d7d7dda339a680204671bedf96aab68adaeb3797f82c06743dd550eb71d3f850e4214715
-
Filesize
438KB
MD561f89c90f92b2579d100f2af29f8375b
SHA194b645443699532b764963a6340dc2001de78146
SHA256531a2ee7e49f863969f2e353cfc0d62117d4857c9cf3784fa387c72a9911b757
SHA512fadb57106257333e6e34de9f7a47ca99b1aa628ddb4d973b088a66e3d7d7dda339a680204671bedf96aab68adaeb3797f82c06743dd550eb71d3f850e4214715