Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2022 07:39
Static task
static1
Behavioral task
behavioral1
Sample
a514f5618e75e6976b61a2e2ca4f9291.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a514f5618e75e6976b61a2e2ca4f9291.exe
Resource
win10v2004-20220901-en
General
-
Target
a514f5618e75e6976b61a2e2ca4f9291.exe
-
Size
1.2MB
-
MD5
a514f5618e75e6976b61a2e2ca4f9291
-
SHA1
1f6e5ea09e3617c2113bbf0c854fa9c6ef7dbf8e
-
SHA256
f60bcc6d90d9415a7c3c8beebdeeed867df6681880b10e925cdbc767840793ea
-
SHA512
20ed5d38666461559a5c95321240568b77c7ef3ea5e9f66d61288d0ea6a9a863d35dd44fff4f758a050240d68febf8b38b9de3cee5ccd09509155cad3b85af00
-
SSDEEP
24576:JAOcZe4ecyPEy42o1wW6vjOnFveUkjPV99npuezy71oporah3:jW1y4hY6teUkj9fZe6Gs
Malware Config
Extracted
asyncrat
0.5.7B
Default
product62.duckdns.org:1905
goodygoody.duckdns.org:1905
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_file
Windows updater.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4500-138-0x0000000001300000-0x0000000001A2C000-memory.dmp asyncrat behavioral2/memory/4500-139-0x000000000130C78E-mapping.dmp asyncrat behavioral2/memory/4500-142-0x0000000001300000-0x0000000001312000-memory.dmp asyncrat -
Executes dropped EXE 2 IoCs
Processes:
aoqpxwe.pifRegSvcs.exepid process 4992 aoqpxwe.pif 4500 RegSvcs.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a514f5618e75e6976b61a2e2ca4f9291.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation a514f5618e75e6976b61a2e2ca4f9291.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
aoqpxwe.pifdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run aoqpxwe.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\telling = "C:\\Users\\Admin\\7_43\\aoqpxwe.pif C:\\Users\\Admin\\7_43\\haxtim.apd" aoqpxwe.pif -
Suspicious use of SetThreadContext 1 IoCs
Processes:
aoqpxwe.pifdescription pid process target process PID 4992 set thread context of 4500 4992 aoqpxwe.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
RegSvcs.exeaoqpxwe.pifpid process 4500 RegSvcs.exe 4500 RegSvcs.exe 4500 RegSvcs.exe 4500 RegSvcs.exe 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif 4992 aoqpxwe.pif -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 4500 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
a514f5618e75e6976b61a2e2ca4f9291.exeaoqpxwe.pifdescription pid process target process PID 2076 wrote to memory of 4992 2076 a514f5618e75e6976b61a2e2ca4f9291.exe aoqpxwe.pif PID 2076 wrote to memory of 4992 2076 a514f5618e75e6976b61a2e2ca4f9291.exe aoqpxwe.pif PID 2076 wrote to memory of 4992 2076 a514f5618e75e6976b61a2e2ca4f9291.exe aoqpxwe.pif PID 4992 wrote to memory of 4500 4992 aoqpxwe.pif RegSvcs.exe PID 4992 wrote to memory of 4500 4992 aoqpxwe.pif RegSvcs.exe PID 4992 wrote to memory of 4500 4992 aoqpxwe.pif RegSvcs.exe PID 4992 wrote to memory of 4500 4992 aoqpxwe.pif RegSvcs.exe PID 4992 wrote to memory of 4500 4992 aoqpxwe.pif RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a514f5618e75e6976b61a2e2ca4f9291.exe"C:\Users\Admin\AppData\Local\Temp\a514f5618e75e6976b61a2e2ca4f9291.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\7_43\aoqpxwe.pif"C:\Users\Admin\7_43\aoqpxwe.pif" haxtim.apd2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\7_43\aoqpxwe.pifFilesize
1.7MB
MD5dd3466f64841cf21fc31f63f03dbfd29
SHA13878c8e52203d792c6f672595f7c78ab27ce3f04
SHA2564fe3004208ed574521992dd1ba3d900b75a0f02f1d63ba1e531d309e85ffa06b
SHA512adf3fe8378f7da5ba278db9a1df4cc7b5cff12398ec39ee7037382ebf57897de8bec72be64b5e7332bdb7ed865788dcb6ef4ceda6654e1153d39fe84b011b057
-
C:\Users\Admin\7_43\aoqpxwe.pifFilesize
1.7MB
MD5dd3466f64841cf21fc31f63f03dbfd29
SHA13878c8e52203d792c6f672595f7c78ab27ce3f04
SHA2564fe3004208ed574521992dd1ba3d900b75a0f02f1d63ba1e531d309e85ffa06b
SHA512adf3fe8378f7da5ba278db9a1df4cc7b5cff12398ec39ee7037382ebf57897de8bec72be64b5e7332bdb7ed865788dcb6ef4ceda6654e1153d39fe84b011b057
-
C:\Users\Admin\7_43\fpqmvvxh.ppvFilesize
90KB
MD58f7afd4090dab508eda419e02b4f73e5
SHA1e29a41526aa914a37e97ddeff800e670a41a7faf
SHA25630b0b52b68dca6bc429edc6eed7f4f61e5481e996e88738bd4b22dc8dd8d5bfa
SHA51200f23b4e52f94125db5146a39b022094e444317f361b1d8112f50d9d2e4d62e3d7082392a875c2a3aca66f4f60b4fdcf9bfbe449c27d2cf1ca182e4574d96c58
-
C:\Users\Admin\7_43\hajlttccg.icmFilesize
55KB
MD54e4d1b73c27cf35e8e76f97086c546dd
SHA105f9912462a30720c1e4549e2177eecfd9ffa046
SHA25662108ab333bcc3fa356f33398aef4d520f2365ed3639d0f486ae90c2dcfbd078
SHA512b04143c73dbf722d477cb63bd3b6b1db24ba9e8c97b732f2634942e4b2aa67352a3af92725353dc625b7dabcd7a64b37532d7ee31b1bbdf26e3e7496eaea00a0
-
C:\Users\Admin\7_43\haxtim.apdFilesize
216.6MB
MD50f8dbda31b556ccd2ed91705fa600d3f
SHA19ad66ddd6a14a06829a9f9830229ae294fb1efcc
SHA25669321265d9e2e8ceafdf4bb4632302558385bab13afe631f430348fe4f035b50
SHA51290c313ded54500c10eed968d0e2491e6e4b02b7adba508e63c3fc97ee4d55cf22d5cae03f2ead04f1cb9329623e81e71b15b4d51fbe23fbad7895dfa5d94ffec
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
memory/4500-139-0x000000000130C78E-mapping.dmp
-
memory/4500-138-0x0000000001300000-0x0000000001A2C000-memory.dmpFilesize
7.2MB
-
memory/4500-142-0x0000000001300000-0x0000000001312000-memory.dmpFilesize
72KB
-
memory/4500-143-0x0000000006A90000-0x0000000006B2C000-memory.dmpFilesize
624KB
-
memory/4500-144-0x00000000070E0000-0x0000000007684000-memory.dmpFilesize
5.6MB
-
memory/4500-145-0x0000000006BA0000-0x0000000006C06000-memory.dmpFilesize
408KB
-
memory/4992-132-0x0000000000000000-mapping.dmp