Behavioral Report

General

Target

46356ce64664820165594ed18ec26a90.exe
Size

302KB
MD5

46356ce64664820165594ed18ec26a90
SHA1

4cc931965d09e90eaffca9d3d6e9a3e76a1a4366
SHA256

f06f422d7fc0f07d426965ceccf417598eadb7fcacfbe156dd37d3059669ecc0
SHA512

e725dd10fc4ee0d9429decb52f7fe79b4f1dab5547f19cef1d323e2dcf836d28edf7d1bbaf4090cd1b5f2a3cabb1840dcb1a94513a5f14899e7eedffda08e7f0
SSDEEP

6144:EInpgzEJQ5Jz+ZwRI3iusfICdNOWqlzhjZRPY8yxDziZi4/W:np6ZCwRI3iiCTSlzh1BR2HIW

Score

10^/10

asyncrat rat vmprotect

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Executes dropped EXE ⋅ 1 IoCs

Processes:

ShellExperienceHost.exe

pid process

2772 ShellExperienceHost.exe

pid	process
2772	ShellExperienceHost.exe

VMProtect packed file ⋅ 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/2656-132-0x00000000003C0000-0x0000000000446000-memory.dmp	vmprotect
behavioral2/files/0x0002000000022dfc-144.dat	vmprotect
behavioral2/files/0x0002000000022dfc-145.dat	vmprotect

Checks computer location settings ⋅ 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

TTPs:

Query Registry System Information Discovery

Processes:

46356ce64664820165594ed18ec26a90.exeShellExperienceHost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	46356ce64664820165594ed18ec26a90.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	ShellExperienceHost.exe

Enumerates physical storage devices ⋅ 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs:

System Information Discovery
Creates scheduled task(s) ⋅ 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

TTPs:

Scheduled Task

Processes:

schtasks.exe

pid process

3808 schtasks.exe
Delays execution with timeout.exe ⋅ 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

3124 timeout.exe
4904 timeout.exe

pid	process
3808	schtasks.exe

pid	process
3124	timeout.exe
4904	timeout.exe

Suspicious behavior: EnumeratesProcesses ⋅ 23 IoCs

Processes:

46356ce64664820165594ed18ec26a90.exe

pid	process
2656	46356ce64664820165594ed18ec26a90.exe
2656	46356ce64664820165594ed18ec26a90.exe
2656	46356ce64664820165594ed18ec26a90.exe
2656	46356ce64664820165594ed18ec26a90.exe
2656	46356ce64664820165594ed18ec26a90.exe
2656	46356ce64664820165594ed18ec26a90.exe
2656	46356ce64664820165594ed18ec26a90.exe
2656	46356ce64664820165594ed18ec26a90.exe
2656	46356ce64664820165594ed18ec26a90.exe
2656	46356ce64664820165594ed18ec26a90.exe
2656	46356ce64664820165594ed18ec26a90.exe
2656	46356ce64664820165594ed18ec26a90.exe
2656	46356ce64664820165594ed18ec26a90.exe
2656	46356ce64664820165594ed18ec26a90.exe
2656	46356ce64664820165594ed18ec26a90.exe
2656	46356ce64664820165594ed18ec26a90.exe
2656	46356ce64664820165594ed18ec26a90.exe
2656	46356ce64664820165594ed18ec26a90.exe
2656	46356ce64664820165594ed18ec26a90.exe
2656	46356ce64664820165594ed18ec26a90.exe
2656	46356ce64664820165594ed18ec26a90.exe
2656	46356ce64664820165594ed18ec26a90.exe
2656	46356ce64664820165594ed18ec26a90.exe

Suspicious use of AdjustPrivilegeToken ⋅ 4 IoCs

Processes:

46356ce64664820165594ed18ec26a90.exeShellExperienceHost.exe

description	pid	process
Token: SeDebugPrivilege	2656	46356ce64664820165594ed18ec26a90.exe
Token: SeDebugPrivilege	2656	46356ce64664820165594ed18ec26a90.exe
Token: SeDebugPrivilege	2772	ShellExperienceHost.exe
Token: SeDebugPrivilege	2772	ShellExperienceHost.exe

Suspicious use of WriteProcessMemory ⋅ 18 IoCs

Processes:

46356ce64664820165594ed18ec26a90.execmd.execmd.exeShellExperienceHost.execmd.execmd.exe

description	pid	process	target process
PID 2656 wrote to memory of 4888	2656	46356ce64664820165594ed18ec26a90.exe	cmd.exe
PID 2656 wrote to memory of 4888	2656	46356ce64664820165594ed18ec26a90.exe	cmd.exe
PID 2656 wrote to memory of 3996	2656	46356ce64664820165594ed18ec26a90.exe	cmd.exe
PID 2656 wrote to memory of 3996	2656	46356ce64664820165594ed18ec26a90.exe	cmd.exe
PID 4888 wrote to memory of 3808	4888	cmd.exe	schtasks.exe
PID 4888 wrote to memory of 3808	4888	cmd.exe	schtasks.exe
PID 3996 wrote to memory of 3124	3996	cmd.exe	timeout.exe
PID 3996 wrote to memory of 3124	3996	cmd.exe	timeout.exe
PID 3996 wrote to memory of 2772	3996	cmd.exe	ShellExperienceHost.exe
PID 3996 wrote to memory of 2772	3996	cmd.exe	ShellExperienceHost.exe
PID 2772 wrote to memory of 4492	2772	ShellExperienceHost.exe	cmd.exe
PID 2772 wrote to memory of 4492	2772	ShellExperienceHost.exe	cmd.exe
PID 2772 wrote to memory of 4920	2772	ShellExperienceHost.exe	cmd.exe
PID 2772 wrote to memory of 4920	2772	ShellExperienceHost.exe	cmd.exe
PID 4492 wrote to memory of 4616	4492	cmd.exe	schtasks.exe
PID 4492 wrote to memory of 4616	4492	cmd.exe	schtasks.exe
PID 4920 wrote to memory of 4904	4920	cmd.exe	timeout.exe
PID 4920 wrote to memory of 4904	4920	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\46356ce64664820165594ed18ec26a90.exe

"C:\Users\Admin\AppData\Local\Temp\46356ce64664820165594ed18ec26a90.exe"

Checks computer location settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:2656

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ShellExperienceHost" /tr '"C:\Users\Admin\AppData\Roaming\ShellExperienceHost.exe"' & exit

Suspicious use of WriteProcessMemory

PID:4888

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "ShellExperienceHost" /tr '"C:\Users\Admin\AppData\Roaming\ShellExperienceHost.exe"'

Creates scheduled task(s)

PID:3808

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp466F.tmp.bat""

Suspicious use of WriteProcessMemory

PID:3996

C:\Windows\system32\timeout.exe

timeout 3

Delays execution with timeout.exe

PID:3124

C:\Users\Admin\AppData\Roaming\ShellExperienceHost.exe

"C:\Users\Admin\AppData\Roaming\ShellExperienceHost.exe"

Executes dropped EXE
Checks computer location settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:2772

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "ShellExperienceHost"

Suspicious use of WriteProcessMemory

PID:4492

C:\Windows\system32\schtasks.exe

schtasks /delete /f /tn "ShellExperienceHost"

PID:4616

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC6B6.tmp.bat""

Suspicious use of WriteProcessMemory

PID:4920

C:\Windows\system32\timeout.exe

timeout 3

Delays execution with timeout.exe

PID:4904

Network

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Scheduled Task

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp466F.tmp.bat
MD5
c7e9f32c5bb2339470ce5fb5cdbc2a7e

SHA1
50c4d090ae857f3f444b5242ade3aea16ad906f6

SHA256
53723888cc2ee555e5a475f52024bff55ed3401f262c2d9827dfc1249cf4b513

SHA512
4b7557c5e838eaadeada52aa9a916f62d573ca82623404158c821543ab717eca5b7cac754394e0598ae8083ceda871d84a44397a7cdf1ccc7106ed8134d1c0cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC6B6.tmp.bat
MD5
ed94534d83d717c7b4fc73e9db44b11e

SHA1
8f318a992fac6afba37694e530338ac31289be5e

SHA256
9343f4f7e1005ea3d7f927ccf31f6c98bd081693f7b1ce86d7daa18372c13a86

SHA512
1919c090e0bc9d6cad042d5a99306c595f6fff19fe93652f45f24d7945c2371a643e9a4512119c1aa3bef26d042ff96358ca8c148b8318b05b95ed120116dcdb

Download Submit
C:\Users\Admin\AppData\Roaming\ShellExperienceHost.exe
MD5
46356ce64664820165594ed18ec26a90

SHA1
4cc931965d09e90eaffca9d3d6e9a3e76a1a4366

SHA256
f06f422d7fc0f07d426965ceccf417598eadb7fcacfbe156dd37d3059669ecc0

SHA512
e725dd10fc4ee0d9429decb52f7fe79b4f1dab5547f19cef1d323e2dcf836d28edf7d1bbaf4090cd1b5f2a3cabb1840dcb1a94513a5f14899e7eedffda08e7f0

Download Submit
C:\Users\Admin\AppData\Roaming\ShellExperienceHost.exe
MD5
46356ce64664820165594ed18ec26a90

SHA1
4cc931965d09e90eaffca9d3d6e9a3e76a1a4366

SHA256
f06f422d7fc0f07d426965ceccf417598eadb7fcacfbe156dd37d3059669ecc0

SHA512
e725dd10fc4ee0d9429decb52f7fe79b4f1dab5547f19cef1d323e2dcf836d28edf7d1bbaf4090cd1b5f2a3cabb1840dcb1a94513a5f14899e7eedffda08e7f0

Download Submit
memory/2656-135-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Download
memory/2656-136-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Download
memory/2656-132-0x00000000003C0000-0x0000000000446000-memory.dmp

Download
memory/2656-141-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Download
memory/2772-151-0x000000001DB40000-0x000000001DB5E000-memory.dmp

Download
memory/2772-157-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Download
memory/2772-146-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Download
memory/2772-149-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Download
memory/2772-150-0x000000001DBC0000-0x000000001DC36000-memory.dmp

Download
memory/2772-143-0x0000000000000000-mapping.dmp

Download
memory/3124-142-0x0000000000000000-mapping.dmp

Download
memory/3808-140-0x0000000000000000-mapping.dmp

Download
memory/3996-138-0x0000000000000000-mapping.dmp

Download
memory/4492-152-0x0000000000000000-mapping.dmp

Download
memory/4616-154-0x0000000000000000-mapping.dmp

Download
memory/4888-137-0x0000000000000000-mapping.dmp

Download
memory/4904-156-0x0000000000000000-mapping.dmp

Download
memory/4920-153-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Downloads