Analysis
-
max time kernel
44s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
05-12-2022 13:01
Static task
static1
Behavioral task
behavioral1
Sample
AS-0987654567890-09654.pif.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
AS-0987654567890-09654.pif.exe
Resource
win10v2004-20221111-en
General
-
Target
AS-0987654567890-09654.pif.exe
-
Size
152KB
-
MD5
ba88096aed1d0887ac87096eb02f31d7
-
SHA1
653ec005de1c9eaa01d0caf97fd4a4c568263df1
-
SHA256
c65474ab1e1cf358b34fb782e40b9208d967624bb63d4f58a749d7b27c0aee71
-
SHA512
73323ddb58b6aed0b8a171a2e1aeb10c6e8dcf12cd8bf2240d7e64ec70898cba340016e4659ab3fea909bbddbb3404e0af70396fe8b98ed10b388706b2d6c285
-
SSDEEP
3072:QEhKzShSycSMPJk+V42ma+9zxIT+DPjMBBYECSF:QBn1PJkS42mBITe+US
Malware Config
Extracted
asyncrat
0.5.7B
Default
45.137.22.111:8787
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1652-68-0x00000000002C0000-0x00000000002D2000-memory.dmp asyncrat behavioral1/memory/1652-69-0x0000000000400000-0x0000000000427000-memory.dmp asyncrat -
Executes dropped EXE 3 IoCs
Processes:
sbuwe.exesbuwe.exesbuwe.exepid process 904 sbuwe.exe 1164 sbuwe.exe 1652 sbuwe.exe -
Processes:
resource yara_rule behavioral1/memory/1652-69-0x0000000000400000-0x0000000000427000-memory.dmp upx -
Loads dropped DLL 3 IoCs
Processes:
AS-0987654567890-09654.pif.exesbuwe.exepid process 996 AS-0987654567890-09654.pif.exe 904 sbuwe.exe 904 sbuwe.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
sbuwe.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\oiagigju = "C:\\Users\\Admin\\AppData\\Roaming\\olmg\\ocwwiqlgifp.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\sbuwe.exe\" C:\\Users\\Admin\\AppData\\Local\\Tem" sbuwe.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
sbuwe.exedescription pid process target process PID 904 set thread context of 1652 904 sbuwe.exe sbuwe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
sbuwe.exepid process 904 sbuwe.exe 904 sbuwe.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
sbuwe.exedescription pid process Token: SeDebugPrivilege 1652 sbuwe.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
AS-0987654567890-09654.pif.exesbuwe.exedescription pid process target process PID 996 wrote to memory of 904 996 AS-0987654567890-09654.pif.exe sbuwe.exe PID 996 wrote to memory of 904 996 AS-0987654567890-09654.pif.exe sbuwe.exe PID 996 wrote to memory of 904 996 AS-0987654567890-09654.pif.exe sbuwe.exe PID 996 wrote to memory of 904 996 AS-0987654567890-09654.pif.exe sbuwe.exe PID 904 wrote to memory of 1164 904 sbuwe.exe sbuwe.exe PID 904 wrote to memory of 1164 904 sbuwe.exe sbuwe.exe PID 904 wrote to memory of 1164 904 sbuwe.exe sbuwe.exe PID 904 wrote to memory of 1164 904 sbuwe.exe sbuwe.exe PID 904 wrote to memory of 1652 904 sbuwe.exe sbuwe.exe PID 904 wrote to memory of 1652 904 sbuwe.exe sbuwe.exe PID 904 wrote to memory of 1652 904 sbuwe.exe sbuwe.exe PID 904 wrote to memory of 1652 904 sbuwe.exe sbuwe.exe PID 904 wrote to memory of 1652 904 sbuwe.exe sbuwe.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AS-0987654567890-09654.pif.exe"C:\Users\Admin\AppData\Local\Temp\AS-0987654567890-09654.pif.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sbuwe.exe"C:\Users\Admin\AppData\Local\Temp\sbuwe.exe" C:\Users\Admin\AppData\Local\Temp\czxzqyursx.swv2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sbuwe.exe"C:\Users\Admin\AppData\Local\Temp\sbuwe.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\sbuwe.exe"C:\Users\Admin\AppData\Local\Temp\sbuwe.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\czxzqyursx.swvFilesize
7KB
MD53e89ab76378b853abae0815b619cd419
SHA135f8ee8bdba1d5c3f3bf1f8ab13b96357e77ec2a
SHA2566a6ab3f8800efa664b3d13b58b14478c169575915bea91ef57c9564e256bd929
SHA512cbddf2239c49c0ef961deb6bd095c59a660ef3d6d039459b2b1fc1884cbd1ddb518c038610a06a118e260a76da29b4c5e638ca1ccccc6f8b391bff3de2c0f0d6
-
C:\Users\Admin\AppData\Local\Temp\sbuwe.exeFilesize
99KB
MD551b1213e3b3ac55e28bdfb6ba8e68d65
SHA1f7db5144b7510e4f47385d9e892ab0ec5e8b528c
SHA256a6f1575a17540db945d22247f41b80f00b8f1a5d85a63d0c2aa7fb9aa405bd3f
SHA5126652ae87cf05151769f70fdc2d771dd09edda183758acc18f86d707bbaa65c51c57f9443c053ab5677e260ca836f257d2eccb20b0bc94cc7c6f9ec133635756f
-
C:\Users\Admin\AppData\Local\Temp\sbuwe.exeFilesize
99KB
MD551b1213e3b3ac55e28bdfb6ba8e68d65
SHA1f7db5144b7510e4f47385d9e892ab0ec5e8b528c
SHA256a6f1575a17540db945d22247f41b80f00b8f1a5d85a63d0c2aa7fb9aa405bd3f
SHA5126652ae87cf05151769f70fdc2d771dd09edda183758acc18f86d707bbaa65c51c57f9443c053ab5677e260ca836f257d2eccb20b0bc94cc7c6f9ec133635756f
-
C:\Users\Admin\AppData\Local\Temp\sbuwe.exeFilesize
99KB
MD551b1213e3b3ac55e28bdfb6ba8e68d65
SHA1f7db5144b7510e4f47385d9e892ab0ec5e8b528c
SHA256a6f1575a17540db945d22247f41b80f00b8f1a5d85a63d0c2aa7fb9aa405bd3f
SHA5126652ae87cf05151769f70fdc2d771dd09edda183758acc18f86d707bbaa65c51c57f9443c053ab5677e260ca836f257d2eccb20b0bc94cc7c6f9ec133635756f
-
C:\Users\Admin\AppData\Local\Temp\sbuwe.exeFilesize
99KB
MD551b1213e3b3ac55e28bdfb6ba8e68d65
SHA1f7db5144b7510e4f47385d9e892ab0ec5e8b528c
SHA256a6f1575a17540db945d22247f41b80f00b8f1a5d85a63d0c2aa7fb9aa405bd3f
SHA5126652ae87cf05151769f70fdc2d771dd09edda183758acc18f86d707bbaa65c51c57f9443c053ab5677e260ca836f257d2eccb20b0bc94cc7c6f9ec133635756f
-
C:\Users\Admin\AppData\Local\Temp\scmky.pqzFilesize
66KB
MD51c57157238cd8136733d20228666fc29
SHA19a7ed5d6e7413bf269b6725625bd6594dba9eb3e
SHA256050c95c5cf12d9ccdbca94b80e7b0c59a3670e4571c853ae7d47ccc7f2bbc4cc
SHA512ba3fc8c777f2e2f4b74ad1a09eafc3d5f64cb92ddb80cac2812268eac05719cb4a8725ca898ef7c8e0f4093775cf9e5b7454ca1c3bd50133236ab76c9362151c
-
\Users\Admin\AppData\Local\Temp\sbuwe.exeFilesize
99KB
MD551b1213e3b3ac55e28bdfb6ba8e68d65
SHA1f7db5144b7510e4f47385d9e892ab0ec5e8b528c
SHA256a6f1575a17540db945d22247f41b80f00b8f1a5d85a63d0c2aa7fb9aa405bd3f
SHA5126652ae87cf05151769f70fdc2d771dd09edda183758acc18f86d707bbaa65c51c57f9443c053ab5677e260ca836f257d2eccb20b0bc94cc7c6f9ec133635756f
-
\Users\Admin\AppData\Local\Temp\sbuwe.exeFilesize
99KB
MD551b1213e3b3ac55e28bdfb6ba8e68d65
SHA1f7db5144b7510e4f47385d9e892ab0ec5e8b528c
SHA256a6f1575a17540db945d22247f41b80f00b8f1a5d85a63d0c2aa7fb9aa405bd3f
SHA5126652ae87cf05151769f70fdc2d771dd09edda183758acc18f86d707bbaa65c51c57f9443c053ab5677e260ca836f257d2eccb20b0bc94cc7c6f9ec133635756f
-
\Users\Admin\AppData\Local\Temp\sbuwe.exeFilesize
99KB
MD551b1213e3b3ac55e28bdfb6ba8e68d65
SHA1f7db5144b7510e4f47385d9e892ab0ec5e8b528c
SHA256a6f1575a17540db945d22247f41b80f00b8f1a5d85a63d0c2aa7fb9aa405bd3f
SHA5126652ae87cf05151769f70fdc2d771dd09edda183758acc18f86d707bbaa65c51c57f9443c053ab5677e260ca836f257d2eccb20b0bc94cc7c6f9ec133635756f
-
memory/904-56-0x0000000000000000-mapping.dmp
-
memory/996-54-0x00000000760E1000-0x00000000760E3000-memory.dmpFilesize
8KB
-
memory/1652-65-0x0000000000424E60-mapping.dmp
-
memory/1652-68-0x00000000002C0000-0x00000000002D2000-memory.dmpFilesize
72KB
-
memory/1652-69-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB