Analysis
-
max time kernel
90s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-09-2022 23:02
Static task
static1
Behavioral task
behavioral1
Sample
168ee8403709fc4848328051ff819157.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
168ee8403709fc4848328051ff819157.exe
Resource
win10v2004-20220812-en
General
-
Target
168ee8403709fc4848328051ff819157.exe
-
Size
70KB
-
MD5
168ee8403709fc4848328051ff819157
-
SHA1
bf96e4267c22e283d192e34fc50ded40802ac83c
-
SHA256
bf765420bbb03b49f594002013915e508160a4efede03e051075cabad32c51b3
-
SHA512
9e86bdb6f49881fc39a1cea97047164dc02e21cb8bfc43526997840effcde497c3411bfed256fce7738f3b3a3814d1fb8f4295cec09034453aff326cf97a449c
-
SSDEEP
1536:L2pM3Poamv/TQ6MLXIRakKVyreBOPew0ikXx5utYdsOWg+7/MajDw:iW3ADXcBURL4OmikXbuuVA/Rw
Malware Config
Extracted
asyncrat
0.5.7B
Default
20.171.107.243:6606
20.171.107.243:7707
20.171.107.243:8808
rositxado.tk:6606
rositxado.tk:7707
rositxado.tk:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2756-141-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HWMonitor = "C:\\Users\\Admin\\AppData\\Roaming\\vlc\\HWMonitor.exe" powershell.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 38 ip-api.com 30 icanhazip.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
168ee8403709fc4848328051ff819157.exedescription pid process target process PID 2492 set thread context of 2756 2492 168ee8403709fc4848328051ff819157.exe RegAsm.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
powershell.exeRegAsm.exepid process 2640 powershell.exe 2640 powershell.exe 2756 RegAsm.exe 2756 RegAsm.exe 2756 RegAsm.exe 2756 RegAsm.exe 2756 RegAsm.exe 2756 RegAsm.exe 2756 RegAsm.exe 2756 RegAsm.exe 2756 RegAsm.exe 2756 RegAsm.exe 2756 RegAsm.exe 2756 RegAsm.exe 2756 RegAsm.exe 2756 RegAsm.exe 2756 RegAsm.exe 2756 RegAsm.exe 2756 RegAsm.exe 2756 RegAsm.exe 2756 RegAsm.exe 2756 RegAsm.exe 2756 RegAsm.exe 2756 RegAsm.exe 2756 RegAsm.exe 2756 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exeRegAsm.exemsiexec.exedescription pid process Token: SeDebugPrivilege 2640 powershell.exe Token: SeDebugPrivilege 2756 RegAsm.exe Token: SeSecurityPrivilege 4112 msiexec.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
168ee8403709fc4848328051ff819157.exeRegAsm.execmd.execmd.exedescription pid process target process PID 2492 wrote to memory of 2640 2492 168ee8403709fc4848328051ff819157.exe powershell.exe PID 2492 wrote to memory of 2640 2492 168ee8403709fc4848328051ff819157.exe powershell.exe PID 2492 wrote to memory of 2640 2492 168ee8403709fc4848328051ff819157.exe powershell.exe PID 2492 wrote to memory of 2756 2492 168ee8403709fc4848328051ff819157.exe RegAsm.exe PID 2492 wrote to memory of 2756 2492 168ee8403709fc4848328051ff819157.exe RegAsm.exe PID 2492 wrote to memory of 2756 2492 168ee8403709fc4848328051ff819157.exe RegAsm.exe PID 2492 wrote to memory of 2756 2492 168ee8403709fc4848328051ff819157.exe RegAsm.exe PID 2492 wrote to memory of 2756 2492 168ee8403709fc4848328051ff819157.exe RegAsm.exe PID 2492 wrote to memory of 2756 2492 168ee8403709fc4848328051ff819157.exe RegAsm.exe PID 2492 wrote to memory of 2756 2492 168ee8403709fc4848328051ff819157.exe RegAsm.exe PID 2492 wrote to memory of 2756 2492 168ee8403709fc4848328051ff819157.exe RegAsm.exe PID 2756 wrote to memory of 3768 2756 RegAsm.exe cmd.exe PID 2756 wrote to memory of 3768 2756 RegAsm.exe cmd.exe PID 2756 wrote to memory of 3768 2756 RegAsm.exe cmd.exe PID 3768 wrote to memory of 4800 3768 cmd.exe chcp.com PID 3768 wrote to memory of 4800 3768 cmd.exe chcp.com PID 3768 wrote to memory of 4800 3768 cmd.exe chcp.com PID 3768 wrote to memory of 380 3768 cmd.exe netsh.exe PID 3768 wrote to memory of 380 3768 cmd.exe netsh.exe PID 3768 wrote to memory of 380 3768 cmd.exe netsh.exe PID 3768 wrote to memory of 4648 3768 cmd.exe findstr.exe PID 3768 wrote to memory of 4648 3768 cmd.exe findstr.exe PID 3768 wrote to memory of 4648 3768 cmd.exe findstr.exe PID 2756 wrote to memory of 2992 2756 RegAsm.exe cmd.exe PID 2756 wrote to memory of 2992 2756 RegAsm.exe cmd.exe PID 2756 wrote to memory of 2992 2756 RegAsm.exe cmd.exe PID 2992 wrote to memory of 396 2992 cmd.exe chcp.com PID 2992 wrote to memory of 396 2992 cmd.exe chcp.com PID 2992 wrote to memory of 396 2992 cmd.exe chcp.com PID 2992 wrote to memory of 1500 2992 cmd.exe netsh.exe PID 2992 wrote to memory of 1500 2992 cmd.exe netsh.exe PID 2992 wrote to memory of 1500 2992 cmd.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
outlook_win_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\168ee8403709fc4848328051ff819157.exe"C:\Users\Admin\AppData\Local\Temp\168ee8403709fc4848328051ff819157.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'HWMonitor';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'HWMonitor' -Value '"C:\Users\Admin\AppData\Roaming\vlc\HWMonitor.exe"' -PropertyType 'String'2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/380-153-0x0000000000000000-mapping.dmp
-
memory/396-156-0x0000000000000000-mapping.dmp
-
memory/1500-157-0x0000000000000000-mapping.dmp
-
memory/2492-132-0x00000000000F0000-0x0000000000108000-memory.dmpFilesize
96KB
-
memory/2492-133-0x0000000005130000-0x00000000056D4000-memory.dmpFilesize
5.6MB
-
memory/2492-134-0x0000000004AB0000-0x0000000004B42000-memory.dmpFilesize
584KB
-
memory/2492-135-0x0000000004B50000-0x0000000004B5A000-memory.dmpFilesize
40KB
-
memory/2492-136-0x0000000004C40000-0x0000000004CB6000-memory.dmpFilesize
472KB
-
memory/2492-137-0x0000000004CC0000-0x0000000004CDE000-memory.dmpFilesize
120KB
-
memory/2640-144-0x0000000005D90000-0x0000000005DF6000-memory.dmpFilesize
408KB
-
memory/2640-140-0x0000000004EB0000-0x0000000004EE6000-memory.dmpFilesize
216KB
-
memory/2640-143-0x0000000005CF0000-0x0000000005D12000-memory.dmpFilesize
136KB
-
memory/2640-138-0x0000000000000000-mapping.dmp
-
memory/2640-145-0x0000000005E70000-0x0000000005ED6000-memory.dmpFilesize
408KB
-
memory/2640-146-0x0000000006460000-0x000000000647E000-memory.dmpFilesize
120KB
-
memory/2640-147-0x00000000069D0000-0x0000000006A66000-memory.dmpFilesize
600KB
-
memory/2640-148-0x0000000006950000-0x000000000696A000-memory.dmpFilesize
104KB
-
memory/2640-149-0x00000000069A0000-0x00000000069C2000-memory.dmpFilesize
136KB
-
memory/2640-142-0x0000000005610000-0x0000000005C38000-memory.dmpFilesize
6.2MB
-
memory/2756-150-0x0000000005C40000-0x0000000005CDC000-memory.dmpFilesize
624KB
-
memory/2756-139-0x0000000000000000-mapping.dmp
-
memory/2756-141-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2992-155-0x0000000000000000-mapping.dmp
-
memory/3768-151-0x0000000000000000-mapping.dmp
-
memory/4648-154-0x0000000000000000-mapping.dmp
-
memory/4800-152-0x0000000000000000-mapping.dmp