Analysis
-
max time kernel
230s -
max time network
233s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2022 03:48
Static task
static1
Behavioral task
behavioral1
Sample
4029013#.exe
Resource
win7-20220812-en
General
-
Target
4029013#.exe
-
Size
300.0MB
-
MD5
41308dae88480a4eaf61b36767990bbe
-
SHA1
a347f3eb607df4c47b9473818866bcad6aef4e96
-
SHA256
190324c758fe4e21f2254d10bc9871b5e8a2e0f063a0b49f1680b3ee9f8da519
-
SHA512
ee0812562d7f0f16ea75ccc236ac85c986c47ed52fc75ffb8d1a21d9c62cb90855963d2678dfc01345e97f5435d320d0ba982d82f1d7395d066b843e49479c42
-
SSDEEP
3072:ZuDu8y65Hc4/+683JZbqaZ75yEzHX7NXjPP8shYd0CwbI+hRx:ZuDu8y65Hc4SrbqXEz37BjzugbIg
Malware Config
Extracted
asyncrat
Venom RAT 5.0.4
MAY 17
paris-comrademay17.duckdns.org:25045
kjauwydefagvrcku64y
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2712-139-0x0000000000D70000-0x0000000000D86000-memory.dmp asyncrat -
Executes dropped EXE 2 IoCs
Processes:
pmfr.exepmfr.exepid process 3056 pmfr.exe 944 pmfr.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4029013#.exepmfr.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 4029013#.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation pmfr.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
4029013#.exepmfr.exedescription pid process target process PID 4336 set thread context of 2712 4336 4029013#.exe vbc.exe PID 3056 set thread context of 5012 3056 pmfr.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1468 schtasks.exe 2636 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exevbc.exedescription pid process Token: SeDebugPrivilege 2712 vbc.exe Token: SeDebugPrivilege 5012 vbc.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
4029013#.execmd.exepmfr.execmd.exedescription pid process target process PID 4336 wrote to memory of 4716 4336 4029013#.exe cmd.exe PID 4336 wrote to memory of 4716 4336 4029013#.exe cmd.exe PID 4336 wrote to memory of 4716 4336 4029013#.exe cmd.exe PID 4336 wrote to memory of 1472 4336 4029013#.exe cmd.exe PID 4336 wrote to memory of 1472 4336 4029013#.exe cmd.exe PID 4336 wrote to memory of 1472 4336 4029013#.exe cmd.exe PID 4716 wrote to memory of 1468 4716 cmd.exe schtasks.exe PID 4716 wrote to memory of 1468 4716 cmd.exe schtasks.exe PID 4716 wrote to memory of 1468 4716 cmd.exe schtasks.exe PID 4336 wrote to memory of 2712 4336 4029013#.exe vbc.exe PID 4336 wrote to memory of 2712 4336 4029013#.exe vbc.exe PID 4336 wrote to memory of 2712 4336 4029013#.exe vbc.exe PID 4336 wrote to memory of 2712 4336 4029013#.exe vbc.exe PID 4336 wrote to memory of 2712 4336 4029013#.exe vbc.exe PID 4336 wrote to memory of 2712 4336 4029013#.exe vbc.exe PID 4336 wrote to memory of 2712 4336 4029013#.exe vbc.exe PID 4336 wrote to memory of 2712 4336 4029013#.exe vbc.exe PID 3056 wrote to memory of 620 3056 pmfr.exe cmd.exe PID 3056 wrote to memory of 620 3056 pmfr.exe cmd.exe PID 3056 wrote to memory of 620 3056 pmfr.exe cmd.exe PID 3056 wrote to memory of 1400 3056 pmfr.exe cmd.exe PID 3056 wrote to memory of 1400 3056 pmfr.exe cmd.exe PID 3056 wrote to memory of 1400 3056 pmfr.exe cmd.exe PID 3056 wrote to memory of 5012 3056 pmfr.exe vbc.exe PID 3056 wrote to memory of 5012 3056 pmfr.exe vbc.exe PID 3056 wrote to memory of 5012 3056 pmfr.exe vbc.exe PID 3056 wrote to memory of 5012 3056 pmfr.exe vbc.exe PID 3056 wrote to memory of 5012 3056 pmfr.exe vbc.exe PID 3056 wrote to memory of 5012 3056 pmfr.exe vbc.exe PID 3056 wrote to memory of 5012 3056 pmfr.exe vbc.exe PID 3056 wrote to memory of 5012 3056 pmfr.exe vbc.exe PID 620 wrote to memory of 2636 620 cmd.exe schtasks.exe PID 620 wrote to memory of 2636 620 cmd.exe schtasks.exe PID 620 wrote to memory of 2636 620 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4029013#.exe"C:\Users\Admin\AppData\Local\Temp\4029013#.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\4029013#.exe" "C:\Users\Admin\AppData\Roaming\pmfr.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\pmfr.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\pmfr.exe'" /f1⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\pmfr.exeC:\Users\Admin\AppData\Roaming\pmfr.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\pmfr.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\pmfr.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\pmfr.exe" "C:\Users\Admin\AppData\Roaming\pmfr.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\pmfr.exeC:\Users\Admin\AppData\Roaming\pmfr.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pmfr.exe.logFilesize
520B
MD53ca2f9e6a94c24c455ac9431a0bf479b
SHA1a90309eec691588990609f8f8ad9b935d6f38eb2
SHA256e84d0c64750ec6333b67eb8aef737bb21cd86c6ef6e520c6537ede13505e125e
SHA512ba66e42b384f0d865a21d9169169a0b2bd9c62ebee68acc63a191b1a67ca16f4534f955055fc84bbc4a9cd22cec11c3c22a15df7741d99b7dec456e5cabcb0b5
-
C:\Users\Admin\AppData\Roaming\pmfr.exeFilesize
300.0MB
MD541308dae88480a4eaf61b36767990bbe
SHA1a347f3eb607df4c47b9473818866bcad6aef4e96
SHA256190324c758fe4e21f2254d10bc9871b5e8a2e0f063a0b49f1680b3ee9f8da519
SHA512ee0812562d7f0f16ea75ccc236ac85c986c47ed52fc75ffb8d1a21d9c62cb90855963d2678dfc01345e97f5435d320d0ba982d82f1d7395d066b843e49479c42
-
C:\Users\Admin\AppData\Roaming\pmfr.exeFilesize
300.0MB
MD541308dae88480a4eaf61b36767990bbe
SHA1a347f3eb607df4c47b9473818866bcad6aef4e96
SHA256190324c758fe4e21f2254d10bc9871b5e8a2e0f063a0b49f1680b3ee9f8da519
SHA512ee0812562d7f0f16ea75ccc236ac85c986c47ed52fc75ffb8d1a21d9c62cb90855963d2678dfc01345e97f5435d320d0ba982d82f1d7395d066b843e49479c42
-
C:\Users\Admin\AppData\Roaming\pmfr.exeFilesize
49.4MB
MD59a3e23c7c6dbb6e9395e0d2e7256a81e
SHA1b877b299d820d2800ff5aa9ad9fbd87dc8246e1d
SHA256268131f5f727160a5ce4f0aaae6f9d63ebb2e96a68d2a34ef610dd62fcabd277
SHA512d18a3b3f01541e6851a0ec9a23dee8638e97a788e14b7e4227bbf1359741b61ecbd25a9ce5445dc6d0088192f5158fc1496d88c57e7944e02249f189d8ef2b16
-
memory/620-142-0x0000000000000000-mapping.dmp
-
memory/1400-143-0x0000000000000000-mapping.dmp
-
memory/1468-136-0x0000000000000000-mapping.dmp
-
memory/1472-135-0x0000000000000000-mapping.dmp
-
memory/2636-145-0x0000000000000000-mapping.dmp
-
memory/2712-139-0x0000000000D70000-0x0000000000D86000-memory.dmpFilesize
88KB
-
memory/2712-138-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/2712-137-0x0000000000000000-mapping.dmp
-
memory/4336-132-0x0000000000500000-0x0000000000532000-memory.dmpFilesize
200KB
-
memory/4336-133-0x00000000056F0000-0x0000000005C94000-memory.dmpFilesize
5.6MB
-
memory/4716-134-0x0000000000000000-mapping.dmp
-
memory/5012-144-0x0000000000000000-mapping.dmp