Analysis
-
max time kernel
151s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2022 04:26
Behavioral task
behavioral1
Sample
7f2717a61bf9954670ea7c947815816e.exe
Resource
win7-20220901-en
General
-
Target
7f2717a61bf9954670ea7c947815816e.exe
-
Size
58KB
-
MD5
7f2717a61bf9954670ea7c947815816e
-
SHA1
7bf30b1291d800c583ac863856da257eaeecd531
-
SHA256
15d3ee4efbe7c1ebc998c69f2d6902fb26387c83dc49e41f54c2946c420120c1
-
SHA512
c5f652863f10c895c212bb2dbaa1b798f01db6344e99f70519590f67f8fc5d5ea760e9ba26b83bc256159d979364c8ec7a02db53ef42736e4756e987b0f5b829
-
SSDEEP
1536:4uyRNTAGo2W93pXGyb9Z5dqPPnHbJdRaMb:4uy/TAGo2U3pXGyb9ZiPvHbJjaMb
Malware Config
Extracted
asyncrat
0.5.7B
Spoofer
90.49.136.9:8080
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
AnyDesk.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3460-132-0x0000000000B30000-0x0000000000B44000-memory.dmp asyncrat C:\Users\Admin\AppData\Roaming\AnyDesk.exe asyncrat C:\Users\Admin\AppData\Roaming\AnyDesk.exe asyncrat -
Executes dropped EXE 1 IoCs
Processes:
AnyDesk.exepid process 1932 AnyDesk.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7f2717a61bf9954670ea7c947815816e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 7f2717a61bf9954670ea7c947815816e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1324 timeout.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
7f2717a61bf9954670ea7c947815816e.exepid process 3460 7f2717a61bf9954670ea7c947815816e.exe 3460 7f2717a61bf9954670ea7c947815816e.exe 3460 7f2717a61bf9954670ea7c947815816e.exe 3460 7f2717a61bf9954670ea7c947815816e.exe 3460 7f2717a61bf9954670ea7c947815816e.exe 3460 7f2717a61bf9954670ea7c947815816e.exe 3460 7f2717a61bf9954670ea7c947815816e.exe 3460 7f2717a61bf9954670ea7c947815816e.exe 3460 7f2717a61bf9954670ea7c947815816e.exe 3460 7f2717a61bf9954670ea7c947815816e.exe 3460 7f2717a61bf9954670ea7c947815816e.exe 3460 7f2717a61bf9954670ea7c947815816e.exe 3460 7f2717a61bf9954670ea7c947815816e.exe 3460 7f2717a61bf9954670ea7c947815816e.exe 3460 7f2717a61bf9954670ea7c947815816e.exe 3460 7f2717a61bf9954670ea7c947815816e.exe 3460 7f2717a61bf9954670ea7c947815816e.exe 3460 7f2717a61bf9954670ea7c947815816e.exe 3460 7f2717a61bf9954670ea7c947815816e.exe 3460 7f2717a61bf9954670ea7c947815816e.exe 3460 7f2717a61bf9954670ea7c947815816e.exe 3460 7f2717a61bf9954670ea7c947815816e.exe 3460 7f2717a61bf9954670ea7c947815816e.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
7f2717a61bf9954670ea7c947815816e.exeAnyDesk.exedescription pid process Token: SeDebugPrivilege 3460 7f2717a61bf9954670ea7c947815816e.exe Token: SeDebugPrivilege 1932 AnyDesk.exe Token: SeDebugPrivilege 1932 AnyDesk.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
7f2717a61bf9954670ea7c947815816e.execmd.execmd.exedescription pid process target process PID 3460 wrote to memory of 5028 3460 7f2717a61bf9954670ea7c947815816e.exe cmd.exe PID 3460 wrote to memory of 5028 3460 7f2717a61bf9954670ea7c947815816e.exe cmd.exe PID 3460 wrote to memory of 5028 3460 7f2717a61bf9954670ea7c947815816e.exe cmd.exe PID 3460 wrote to memory of 5068 3460 7f2717a61bf9954670ea7c947815816e.exe cmd.exe PID 3460 wrote to memory of 5068 3460 7f2717a61bf9954670ea7c947815816e.exe cmd.exe PID 3460 wrote to memory of 5068 3460 7f2717a61bf9954670ea7c947815816e.exe cmd.exe PID 5068 wrote to memory of 1324 5068 cmd.exe timeout.exe PID 5068 wrote to memory of 1324 5068 cmd.exe timeout.exe PID 5068 wrote to memory of 1324 5068 cmd.exe timeout.exe PID 5028 wrote to memory of 4276 5028 cmd.exe schtasks.exe PID 5028 wrote to memory of 4276 5028 cmd.exe schtasks.exe PID 5028 wrote to memory of 4276 5028 cmd.exe schtasks.exe PID 5068 wrote to memory of 1932 5068 cmd.exe AnyDesk.exe PID 5068 wrote to memory of 1932 5068 cmd.exe AnyDesk.exe PID 5068 wrote to memory of 1932 5068 cmd.exe AnyDesk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f2717a61bf9954670ea7c947815816e.exe"C:\Users\Admin\AppData\Local\Temp\7f2717a61bf9954670ea7c947815816e.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "AnyDesk" /tr '"C:\Users\Admin\AppData\Roaming\AnyDesk.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "AnyDesk" /tr '"C:\Users\Admin\AppData\Roaming\AnyDesk.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD323.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\AnyDesk.exe"C:\Users\Admin\AppData\Roaming\AnyDesk.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpD323.tmp.batFilesize
151B
MD5824db48cf584711a7f63aacfdb0d4370
SHA1464ad57243e7284446ffd1f74c4854d8d1e38eb4
SHA25642aa2140042d795db5cce07dff4da32a273407d0599913a90f7dd9032870e665
SHA512979be17c0f7c73bfb0ffe6c861d00f518216d3768cdc09256b8d18c1fd7844f99fdab7c7cb8b0a707a0b33ec8eaaf52711aa4726cadad2a75e8f5bf5b325d436
-
C:\Users\Admin\AppData\Roaming\AnyDesk.exeFilesize
58KB
MD57f2717a61bf9954670ea7c947815816e
SHA17bf30b1291d800c583ac863856da257eaeecd531
SHA25615d3ee4efbe7c1ebc998c69f2d6902fb26387c83dc49e41f54c2946c420120c1
SHA512c5f652863f10c895c212bb2dbaa1b798f01db6344e99f70519590f67f8fc5d5ea760e9ba26b83bc256159d979364c8ec7a02db53ef42736e4756e987b0f5b829
-
C:\Users\Admin\AppData\Roaming\AnyDesk.exeFilesize
58KB
MD57f2717a61bf9954670ea7c947815816e
SHA17bf30b1291d800c583ac863856da257eaeecd531
SHA25615d3ee4efbe7c1ebc998c69f2d6902fb26387c83dc49e41f54c2946c420120c1
SHA512c5f652863f10c895c212bb2dbaa1b798f01db6344e99f70519590f67f8fc5d5ea760e9ba26b83bc256159d979364c8ec7a02db53ef42736e4756e987b0f5b829
-
memory/1324-138-0x0000000000000000-mapping.dmp
-
memory/1932-140-0x0000000000000000-mapping.dmp
-
memory/3460-132-0x0000000000B30000-0x0000000000B44000-memory.dmpFilesize
80KB
-
memory/3460-133-0x00000000057E0000-0x0000000005846000-memory.dmpFilesize
408KB
-
memory/3460-134-0x0000000005C30000-0x0000000005CCC000-memory.dmpFilesize
624KB
-
memory/4276-139-0x0000000000000000-mapping.dmp
-
memory/5028-135-0x0000000000000000-mapping.dmp
-
memory/5068-136-0x0000000000000000-mapping.dmp