Analysis
-
max time kernel
51s -
max time network
146s -
platform
windows10-1703_x64 -
resource
win10-20220722-en -
resource tags
arch:x64arch:x86image:win10-20220722-enlocale:en-usos:windows10-1703-x64system -
submitted
05-08-2022 18:31
Behavioral task
behavioral1
Sample
_.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
_.exe
Resource
win10-20220722-en
General
-
Target
_.exe
-
Size
54KB
-
MD5
372bbbd0c71b8c26c57fa9b95e0cc77d
-
SHA1
6c88c48264407b845bef8b669a610de1ceb04536
-
SHA256
8c1312b69f361f3ce20531d236474d170240f2150132adc6a0dba98a7dfd449b
-
SHA512
9561de33be094758d3863c896bfea587214e99a15346bb94d853b6290c8a9f7dd340a45ef1637afce63f93f4bddf08e9bb0ec65cf789976ac86a3fae441e2632
Malware Config
Signatures
-
Async RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4112-127-0x0000000000AA0000-0x0000000000AB4000-memory.dmp asyncrat C:\Users\Admin\AppData\Roaming\.exe asyncrat C:\Users\Admin\AppData\Roaming\.exe asyncrat -
Executes dropped EXE 1 IoCs
Processes:
.exepid process 4260 .exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 3756 attrib.exe 3052 attrib.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
_.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\.exe\"" _.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2980 timeout.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
_.exepid process 4112 _.exe 4112 _.exe 4112 _.exe 4112 _.exe 4112 _.exe 4112 _.exe 4112 _.exe 4112 _.exe 4112 _.exe 4112 _.exe 4112 _.exe 4112 _.exe 4112 _.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
_.exe.exedescription pid process Token: SeDebugPrivilege 4112 _.exe Token: SeDebugPrivilege 4260 .exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
_.execmd.exedescription pid process target process PID 4112 wrote to memory of 3756 4112 _.exe attrib.exe PID 4112 wrote to memory of 3756 4112 _.exe attrib.exe PID 4112 wrote to memory of 3052 4112 _.exe attrib.exe PID 4112 wrote to memory of 3052 4112 _.exe attrib.exe PID 4112 wrote to memory of 2064 4112 _.exe cmd.exe PID 4112 wrote to memory of 2064 4112 _.exe cmd.exe PID 2064 wrote to memory of 2980 2064 cmd.exe timeout.exe PID 2064 wrote to memory of 2980 2064 cmd.exe timeout.exe PID 2064 wrote to memory of 4260 2064 cmd.exe .exe PID 2064 wrote to memory of 4260 2064 cmd.exe .exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 3756 attrib.exe 3052 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\_.exe"C:\Users\Admin\AppData\Local\Temp\_.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\attrib.exe"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming"2⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\System32\attrib.exe"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\.exe"2⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7B4A.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\.exe"C:\Users\Admin\AppData\Roaming\.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp7B4A.tmp.batFilesize
144B
MD50d1709f285740018daecc36ea23df7ae
SHA1c15ada5c7d54f2d5507254b94ff861314c5cba7d
SHA2562108147de94a3b4a6fccfbfad74799cd229a1a7d57e62dc36789c49bbd7b8b57
SHA512d8c7d9a2b5302372f13474ee4e3c9ba2887b6d3b8f6f1f710857cd004842ae05335bc187989d5065ad79dea25663d97c60c93c1b0eb39a4ab8177e2998a33c7c
-
C:\Users\Admin\AppData\Roaming\.exeFilesize
54KB
MD5372bbbd0c71b8c26c57fa9b95e0cc77d
SHA16c88c48264407b845bef8b669a610de1ceb04536
SHA2568c1312b69f361f3ce20531d236474d170240f2150132adc6a0dba98a7dfd449b
SHA5129561de33be094758d3863c896bfea587214e99a15346bb94d853b6290c8a9f7dd340a45ef1637afce63f93f4bddf08e9bb0ec65cf789976ac86a3fae441e2632
-
C:\Users\Admin\AppData\Roaming\.exeFilesize
54KB
MD5372bbbd0c71b8c26c57fa9b95e0cc77d
SHA16c88c48264407b845bef8b669a610de1ceb04536
SHA2568c1312b69f361f3ce20531d236474d170240f2150132adc6a0dba98a7dfd449b
SHA5129561de33be094758d3863c896bfea587214e99a15346bb94d853b6290c8a9f7dd340a45ef1637afce63f93f4bddf08e9bb0ec65cf789976ac86a3fae441e2632
-
memory/2064-131-0x0000000000000000-mapping.dmp
-
memory/2980-133-0x0000000000000000-mapping.dmp
-
memory/3052-129-0x0000000000000000-mapping.dmp
-
memory/3756-128-0x0000000000000000-mapping.dmp
-
memory/4112-127-0x0000000000AA0000-0x0000000000AB4000-memory.dmpFilesize
80KB
-
memory/4260-134-0x0000000000000000-mapping.dmp