Analysis
-
max time kernel
73s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04/10/2022, 19:41
Static task
static1
Behavioral task
behavioral1
Sample
1590B1512142D6C974828FC11958A9A5FFDB6673A584B.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1590B1512142D6C974828FC11958A9A5FFDB6673A584B.exe
Resource
win10v2004-20220812-en
General
-
Target
1590B1512142D6C974828FC11958A9A5FFDB6673A584B.exe
-
Size
309KB
-
MD5
f4e3415d68ba7564f1400b74e4d7e22b
-
SHA1
a4a3b80c28db771c0b15c543daa56a229467fdf3
-
SHA256
1590b1512142d6c974828fc11958a9a5ffdb6673a584b15fda7f93768f639a54
-
SHA512
8c1a0d8db17301bdc6e2e3c16f953c1fd69ba76e887c797d64eb952155dc204a11b8f04181207cae7723aebddf638031e96225131a2006d07c43eb0555f207d7
-
SSDEEP
6144:h8u3J4+CQ6otk3BPuzoqANdyl6/5rLlj/T+/1aoaorg9v4EqP4EXPav0XXXXX3hM:0K1aoaCgR4HP4KPHXXXXX3hXXXXXX3Xs
Malware Config
Extracted
asyncrat
0.5.6D
Default
milla.publicvm.com:6606
milla.publicvm.com:7707
milla.publicvm.com:8808
urulyqqdpunjfhquxdy
-
delay
8
-
install
true
-
install_file
folders.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 2 IoCs
resource yara_rule behavioral1/memory/1096-57-0x00000000003B0000-0x00000000003C2000-memory.dmp asyncrat behavioral1/memory/980-70-0x0000000000570000-0x0000000000582000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
pid Process 980 folders.exe -
Loads dropped DLL 2 IoCs
pid Process 952 cmd.exe 952 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1752 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1816 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1096 1590B1512142D6C974828FC11958A9A5FFDB6673A584B.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1096 1590B1512142D6C974828FC11958A9A5FFDB6673A584B.exe Token: SeDebugPrivilege 980 folders.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1096 wrote to memory of 800 1096 1590B1512142D6C974828FC11958A9A5FFDB6673A584B.exe 26 PID 1096 wrote to memory of 800 1096 1590B1512142D6C974828FC11958A9A5FFDB6673A584B.exe 26 PID 1096 wrote to memory of 800 1096 1590B1512142D6C974828FC11958A9A5FFDB6673A584B.exe 26 PID 1096 wrote to memory of 800 1096 1590B1512142D6C974828FC11958A9A5FFDB6673A584B.exe 26 PID 800 wrote to memory of 1752 800 cmd.exe 28 PID 800 wrote to memory of 1752 800 cmd.exe 28 PID 800 wrote to memory of 1752 800 cmd.exe 28 PID 800 wrote to memory of 1752 800 cmd.exe 28 PID 1096 wrote to memory of 952 1096 1590B1512142D6C974828FC11958A9A5FFDB6673A584B.exe 29 PID 1096 wrote to memory of 952 1096 1590B1512142D6C974828FC11958A9A5FFDB6673A584B.exe 29 PID 1096 wrote to memory of 952 1096 1590B1512142D6C974828FC11958A9A5FFDB6673A584B.exe 29 PID 1096 wrote to memory of 952 1096 1590B1512142D6C974828FC11958A9A5FFDB6673A584B.exe 29 PID 952 wrote to memory of 1816 952 cmd.exe 31 PID 952 wrote to memory of 1816 952 cmd.exe 31 PID 952 wrote to memory of 1816 952 cmd.exe 31 PID 952 wrote to memory of 1816 952 cmd.exe 31 PID 952 wrote to memory of 980 952 cmd.exe 32 PID 952 wrote to memory of 980 952 cmd.exe 32 PID 952 wrote to memory of 980 952 cmd.exe 32 PID 952 wrote to memory of 980 952 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\1590B1512142D6C974828FC11958A9A5FFDB6673A584B.exe"C:\Users\Admin\AppData\Local\Temp\1590B1512142D6C974828FC11958A9A5FFDB6673A584B.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /ru system /rl highest /tn 1590B1512142D6C974828FC11958A9A5FFDB6673A584B /tr '"C:\Users\Admin\AppData\Roaming\folders.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /ru system /rl highest /tn 1590B1512142D6C974828FC11958A9A5FFDB6673A584B /tr '"C:\Users\Admin\AppData\Roaming\folders.exe"'3⤵
- Creates scheduled task(s)
PID:1752
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp81C.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:1816
-
-
C:\Users\Admin\AppData\Roaming\folders.exe"C:\Users\Admin\AppData\Roaming\folders.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:980
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
150B
MD55e204fdd0361227ab448137c2db7fc50
SHA1aaef86297fd1ee0f6f8b6677512f7ebb276e5ad0
SHA2566e319f9439be2895a8eae06580cde07cd38bcf32bbfc8c505c82c855c8344e1f
SHA5128fe1ac8366f790a8f420f9e6a4ce7316aa1ae0787d18a639bd25a3516bb3d500a1d0925b1b7ad670f7fed95e35d09d51ff55285afff6f5e4994e53bb875e404a
-
Filesize
309KB
MD5f4e3415d68ba7564f1400b74e4d7e22b
SHA1a4a3b80c28db771c0b15c543daa56a229467fdf3
SHA2561590b1512142d6c974828fc11958a9a5ffdb6673a584b15fda7f93768f639a54
SHA5128c1a0d8db17301bdc6e2e3c16f953c1fd69ba76e887c797d64eb952155dc204a11b8f04181207cae7723aebddf638031e96225131a2006d07c43eb0555f207d7
-
Filesize
309KB
MD5f4e3415d68ba7564f1400b74e4d7e22b
SHA1a4a3b80c28db771c0b15c543daa56a229467fdf3
SHA2561590b1512142d6c974828fc11958a9a5ffdb6673a584b15fda7f93768f639a54
SHA5128c1a0d8db17301bdc6e2e3c16f953c1fd69ba76e887c797d64eb952155dc204a11b8f04181207cae7723aebddf638031e96225131a2006d07c43eb0555f207d7
-
Filesize
309KB
MD5f4e3415d68ba7564f1400b74e4d7e22b
SHA1a4a3b80c28db771c0b15c543daa56a229467fdf3
SHA2561590b1512142d6c974828fc11958a9a5ffdb6673a584b15fda7f93768f639a54
SHA5128c1a0d8db17301bdc6e2e3c16f953c1fd69ba76e887c797d64eb952155dc204a11b8f04181207cae7723aebddf638031e96225131a2006d07c43eb0555f207d7
-
Filesize
309KB
MD5f4e3415d68ba7564f1400b74e4d7e22b
SHA1a4a3b80c28db771c0b15c543daa56a229467fdf3
SHA2561590b1512142d6c974828fc11958a9a5ffdb6673a584b15fda7f93768f639a54
SHA5128c1a0d8db17301bdc6e2e3c16f953c1fd69ba76e887c797d64eb952155dc204a11b8f04181207cae7723aebddf638031e96225131a2006d07c43eb0555f207d7