Analysis
-
max time kernel
134s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-09-2022 16:48
Static task
static1
Behavioral task
behavioral1
Sample
BOLETA DE CITACION SEPTIEMBRE.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
BOLETA DE CITACION SEPTIEMBRE.exe
Resource
win10v2004-20220812-en
General
-
Target
BOLETA DE CITACION SEPTIEMBRE.exe
-
Size
1.8MB
-
MD5
ff034e670af40d53470dc8f1536fd58e
-
SHA1
cc48f6ec06ce2f4a5d11d4ba693413c807fb2c7d
-
SHA256
e490c0eb6beec707ee6a46816aa7b765a98a5a637f66a854948270ed06b2332a
-
SHA512
4bb24683fb06a078ff448918f4e118015d88eb03e07ee4a66cf3200e15c5eb4888fd59349102932a3048eb24371bedd1909ef42aa9ac0d1a1b19d62eff24a5d3
-
SSDEEP
49152:pHIKvoo917KPKE7xPd9gAKl1mphxF1ZQik92/hRWGQX:tx92Kb5mzr1ljPWJX
Malware Config
Extracted
asyncrat
0.5.7B
Default
dfdagreyt.duckdns.org:8091
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4880-143-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
BOLETA DE CITACION SEPTIEMBRE.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation BOLETA DE CITACION SEPTIEMBRE.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
BOLETA DE CITACION SEPTIEMBRE.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mpqsjqn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Klmgdma\\Mpqsjqn.exe\"" BOLETA DE CITACION SEPTIEMBRE.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
BOLETA DE CITACION SEPTIEMBRE.exedescription pid process target process PID 4004 set thread context of 4880 4004 BOLETA DE CITACION SEPTIEMBRE.exe InstallUtil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1252 powershell.exe 1252 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exeBOLETA DE CITACION SEPTIEMBRE.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 1252 powershell.exe Token: SeDebugPrivilege 4004 BOLETA DE CITACION SEPTIEMBRE.exe Token: SeDebugPrivilege 4880 InstallUtil.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
BOLETA DE CITACION SEPTIEMBRE.exedescription pid process target process PID 4004 wrote to memory of 1252 4004 BOLETA DE CITACION SEPTIEMBRE.exe powershell.exe PID 4004 wrote to memory of 1252 4004 BOLETA DE CITACION SEPTIEMBRE.exe powershell.exe PID 4004 wrote to memory of 1252 4004 BOLETA DE CITACION SEPTIEMBRE.exe powershell.exe PID 4004 wrote to memory of 4880 4004 BOLETA DE CITACION SEPTIEMBRE.exe InstallUtil.exe PID 4004 wrote to memory of 4880 4004 BOLETA DE CITACION SEPTIEMBRE.exe InstallUtil.exe PID 4004 wrote to memory of 4880 4004 BOLETA DE CITACION SEPTIEMBRE.exe InstallUtil.exe PID 4004 wrote to memory of 4880 4004 BOLETA DE CITACION SEPTIEMBRE.exe InstallUtil.exe PID 4004 wrote to memory of 4880 4004 BOLETA DE CITACION SEPTIEMBRE.exe InstallUtil.exe PID 4004 wrote to memory of 4880 4004 BOLETA DE CITACION SEPTIEMBRE.exe InstallUtil.exe PID 4004 wrote to memory of 4880 4004 BOLETA DE CITACION SEPTIEMBRE.exe InstallUtil.exe PID 4004 wrote to memory of 4880 4004 BOLETA DE CITACION SEPTIEMBRE.exe InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BOLETA DE CITACION SEPTIEMBRE.exe"C:\Users\Admin\AppData\Local\Temp\BOLETA DE CITACION SEPTIEMBRE.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1252-138-0x0000000005F30000-0x0000000005F96000-memory.dmpFilesize
408KB
-
memory/1252-140-0x0000000007BB0000-0x000000000822A000-memory.dmpFilesize
6.5MB
-
memory/1252-134-0x0000000000000000-mapping.dmp
-
memory/1252-135-0x0000000002DA0000-0x0000000002DD6000-memory.dmpFilesize
216KB
-
memory/1252-136-0x00000000056D0000-0x0000000005CF8000-memory.dmpFilesize
6.2MB
-
memory/1252-137-0x0000000005470000-0x00000000054D6000-memory.dmpFilesize
408KB
-
memory/1252-139-0x0000000006360000-0x000000000637E000-memory.dmpFilesize
120KB
-
memory/1252-141-0x0000000006860000-0x000000000687A000-memory.dmpFilesize
104KB
-
memory/4004-132-0x0000000000C50000-0x0000000000E22000-memory.dmpFilesize
1.8MB
-
memory/4004-133-0x0000000005AC0000-0x0000000005AE2000-memory.dmpFilesize
136KB
-
memory/4880-142-0x0000000000000000-mapping.dmp
-
memory/4880-143-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4880-144-0x0000000005BC0000-0x0000000005C5C000-memory.dmpFilesize
624KB
-
memory/4880-145-0x0000000006210000-0x00000000067B4000-memory.dmpFilesize
5.6MB