Analysis
-
max time kernel
38s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
05-08-2022 18:31
Behavioral task
behavioral1
Sample
_.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
_.exe
Resource
win10-20220722-en
General
-
Target
_.exe
-
Size
54KB
-
MD5
372bbbd0c71b8c26c57fa9b95e0cc77d
-
SHA1
6c88c48264407b845bef8b669a610de1ceb04536
-
SHA256
8c1312b69f361f3ce20531d236474d170240f2150132adc6a0dba98a7dfd449b
-
SHA512
9561de33be094758d3863c896bfea587214e99a15346bb94d853b6290c8a9f7dd340a45ef1637afce63f93f4bddf08e9bb0ec65cf789976ac86a3fae441e2632
Malware Config
Signatures
-
Async RAT payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1920-54-0x0000000000800000-0x0000000000814000-memory.dmp asyncrat C:\Users\Admin\AppData\Roaming\.exe asyncrat C:\Users\Admin\AppData\Roaming\.exe asyncrat behavioral1/memory/1208-63-0x0000000000C70000-0x0000000000C84000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
Processes:
.exepid process 1208 .exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 1512 attrib.exe 1752 attrib.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
_.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\.exe\"" _.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 528 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
_.exepid process 1920 _.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
_.exe.exedescription pid process Token: SeDebugPrivilege 1920 _.exe Token: SeDebugPrivilege 1208 .exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
_.execmd.exedescription pid process target process PID 1920 wrote to memory of 1512 1920 _.exe attrib.exe PID 1920 wrote to memory of 1512 1920 _.exe attrib.exe PID 1920 wrote to memory of 1512 1920 _.exe attrib.exe PID 1920 wrote to memory of 1752 1920 _.exe attrib.exe PID 1920 wrote to memory of 1752 1920 _.exe attrib.exe PID 1920 wrote to memory of 1752 1920 _.exe attrib.exe PID 1920 wrote to memory of 564 1920 _.exe cmd.exe PID 1920 wrote to memory of 564 1920 _.exe cmd.exe PID 1920 wrote to memory of 564 1920 _.exe cmd.exe PID 564 wrote to memory of 528 564 cmd.exe timeout.exe PID 564 wrote to memory of 528 564 cmd.exe timeout.exe PID 564 wrote to memory of 528 564 cmd.exe timeout.exe PID 564 wrote to memory of 1208 564 cmd.exe .exe PID 564 wrote to memory of 1208 564 cmd.exe .exe PID 564 wrote to memory of 1208 564 cmd.exe .exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1512 attrib.exe 1752 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\_.exe"C:\Users\Admin\AppData\Local\Temp\_.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\attrib.exe"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming"2⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\System32\attrib.exe"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\.exe"2⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpACF3.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\.exe"C:\Users\Admin\AppData\Roaming\.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpACF3.tmp.batFilesize
144B
MD5be5e4c8dd18ed25ae0674db64b658658
SHA1a700ed3f01db4f7d905dae3e957208a25432a083
SHA256db0ea282cfd141c1a02f41261e0e5a3adaed675f490d4985f21bca0cc21e32ae
SHA51232745614b79d97a978cec6f4697a1c10cd51e749fff077311699e5d1b277521ec912676a8b560d7a53fe72b805ee1eff23238e7970e07c9c4f5f41eb762373ac
-
C:\Users\Admin\AppData\Roaming\.exeFilesize
54KB
MD5372bbbd0c71b8c26c57fa9b95e0cc77d
SHA16c88c48264407b845bef8b669a610de1ceb04536
SHA2568c1312b69f361f3ce20531d236474d170240f2150132adc6a0dba98a7dfd449b
SHA5129561de33be094758d3863c896bfea587214e99a15346bb94d853b6290c8a9f7dd340a45ef1637afce63f93f4bddf08e9bb0ec65cf789976ac86a3fae441e2632
-
C:\Users\Admin\AppData\Roaming\.exeFilesize
54KB
MD5372bbbd0c71b8c26c57fa9b95e0cc77d
SHA16c88c48264407b845bef8b669a610de1ceb04536
SHA2568c1312b69f361f3ce20531d236474d170240f2150132adc6a0dba98a7dfd449b
SHA5129561de33be094758d3863c896bfea587214e99a15346bb94d853b6290c8a9f7dd340a45ef1637afce63f93f4bddf08e9bb0ec65cf789976ac86a3fae441e2632
-
memory/528-60-0x0000000000000000-mapping.dmp
-
memory/564-58-0x0000000000000000-mapping.dmp
-
memory/1208-61-0x0000000000000000-mapping.dmp
-
memory/1208-63-0x0000000000C70000-0x0000000000C84000-memory.dmpFilesize
80KB
-
memory/1512-55-0x0000000000000000-mapping.dmp
-
memory/1752-56-0x0000000000000000-mapping.dmp
-
memory/1920-54-0x0000000000800000-0x0000000000814000-memory.dmpFilesize
80KB