Analysis
-
max time kernel
176s -
max time network
200s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
05-12-2022 20:16
Behavioral task
behavioral1
Sample
LocalSecurity.exe
Resource
win7-20221111-en
General
-
Target
LocalSecurity.exe
-
Size
45KB
-
MD5
82e07ce7c9183c9d8098c006a5717ead
-
SHA1
f02f8f5374af906765b5fa1c4758252611767a19
-
SHA256
5dd9cfc17acc9bbbf3b5d24d2ce7044f1b57d712ddb6ecf88eab5da516d972a8
-
SHA512
0572be7700f2fd68acd1404d164184dd72b6c198ab37c164ef3fb1590e8ec9c14f9c08b29cb3b4d1153968fcb6ab7f9d51e128e71967afa472338ae5143a2dce
-
SSDEEP
768:zujYm1TUET1/WUTQV9mo2qzNRt4TOPIvzjbrgX3iau2uCBVgAxm9VldBDZvx:zujYm1TU0I2kE3v3bUXSz29VgRzdvx
Malware Config
Extracted
asyncrat
0.5.7B
Default
127.0.0.1:7707
127.0.0.1:1604
127.0.0.1:8808
127.0.0.1:6606
127.0.0.1:17172
6.tcp.eu.ngrok.io:7707
6.tcp.eu.ngrok.io:1604
6.tcp.eu.ngrok.io:8808
6.tcp.eu.ngrok.io:6606
6.tcp.eu.ngrok.io:17172
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
Runtime Broker.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/764-54-0x0000000000A50000-0x0000000000A62000-memory.dmp asyncrat \Users\Admin\AppData\Roaming\Runtime Broker.exe asyncrat C:\Users\Admin\AppData\Roaming\Runtime Broker.exe asyncrat C:\Users\Admin\AppData\Roaming\Runtime Broker.exe asyncrat behavioral1/memory/1720-65-0x0000000001100000-0x0000000001112000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
Processes:
Runtime Broker.exepid process 1720 Runtime Broker.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 952 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 976 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
LocalSecurity.exepid process 764 LocalSecurity.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
LocalSecurity.exeRuntime Broker.exedescription pid process Token: SeDebugPrivilege 764 LocalSecurity.exe Token: SeDebugPrivilege 1720 Runtime Broker.exe Token: SeDebugPrivilege 1720 Runtime Broker.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
LocalSecurity.execmd.execmd.exedescription pid process target process PID 764 wrote to memory of 336 764 LocalSecurity.exe cmd.exe PID 764 wrote to memory of 336 764 LocalSecurity.exe cmd.exe PID 764 wrote to memory of 336 764 LocalSecurity.exe cmd.exe PID 764 wrote to memory of 336 764 LocalSecurity.exe cmd.exe PID 764 wrote to memory of 952 764 LocalSecurity.exe cmd.exe PID 764 wrote to memory of 952 764 LocalSecurity.exe cmd.exe PID 764 wrote to memory of 952 764 LocalSecurity.exe cmd.exe PID 764 wrote to memory of 952 764 LocalSecurity.exe cmd.exe PID 336 wrote to memory of 884 336 cmd.exe schtasks.exe PID 336 wrote to memory of 884 336 cmd.exe schtasks.exe PID 336 wrote to memory of 884 336 cmd.exe schtasks.exe PID 336 wrote to memory of 884 336 cmd.exe schtasks.exe PID 952 wrote to memory of 976 952 cmd.exe timeout.exe PID 952 wrote to memory of 976 952 cmd.exe timeout.exe PID 952 wrote to memory of 976 952 cmd.exe timeout.exe PID 952 wrote to memory of 976 952 cmd.exe timeout.exe PID 952 wrote to memory of 1720 952 cmd.exe Runtime Broker.exe PID 952 wrote to memory of 1720 952 cmd.exe Runtime Broker.exe PID 952 wrote to memory of 1720 952 cmd.exe Runtime Broker.exe PID 952 wrote to memory of 1720 952 cmd.exe Runtime Broker.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\LocalSecurity.exe"C:\Users\Admin\AppData\Local\Temp\LocalSecurity.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Runtime Broker" /tr '"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Runtime Broker" /tr '"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF00A.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpF00A.tmp.batFilesize
158B
MD55ff383a08d7eab6cc6bcf4b93c3ed57d
SHA1dfab047e2b29e46a2f95e1825cb45d1ee000954d
SHA256046a62fceff391ed6d2b167cb287a084d4c429012d3591e8e4df405a920200f1
SHA512a589ace32b57f036ae72799bc0cb10ef7bac5384d916fd4242715d9df673ec524a46cf2c67558bbc1c1f6008612b3df65bb6980d6da54b43d94e3c0ebdc8a38f
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exeFilesize
45KB
MD582e07ce7c9183c9d8098c006a5717ead
SHA1f02f8f5374af906765b5fa1c4758252611767a19
SHA2565dd9cfc17acc9bbbf3b5d24d2ce7044f1b57d712ddb6ecf88eab5da516d972a8
SHA5120572be7700f2fd68acd1404d164184dd72b6c198ab37c164ef3fb1590e8ec9c14f9c08b29cb3b4d1153968fcb6ab7f9d51e128e71967afa472338ae5143a2dce
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exeFilesize
45KB
MD582e07ce7c9183c9d8098c006a5717ead
SHA1f02f8f5374af906765b5fa1c4758252611767a19
SHA2565dd9cfc17acc9bbbf3b5d24d2ce7044f1b57d712ddb6ecf88eab5da516d972a8
SHA5120572be7700f2fd68acd1404d164184dd72b6c198ab37c164ef3fb1590e8ec9c14f9c08b29cb3b4d1153968fcb6ab7f9d51e128e71967afa472338ae5143a2dce
-
\Users\Admin\AppData\Roaming\Runtime Broker.exeFilesize
45KB
MD582e07ce7c9183c9d8098c006a5717ead
SHA1f02f8f5374af906765b5fa1c4758252611767a19
SHA2565dd9cfc17acc9bbbf3b5d24d2ce7044f1b57d712ddb6ecf88eab5da516d972a8
SHA5120572be7700f2fd68acd1404d164184dd72b6c198ab37c164ef3fb1590e8ec9c14f9c08b29cb3b4d1153968fcb6ab7f9d51e128e71967afa472338ae5143a2dce
-
memory/336-56-0x0000000000000000-mapping.dmp
-
memory/764-54-0x0000000000A50000-0x0000000000A62000-memory.dmpFilesize
72KB
-
memory/764-55-0x0000000075F01000-0x0000000075F03000-memory.dmpFilesize
8KB
-
memory/884-58-0x0000000000000000-mapping.dmp
-
memory/952-57-0x0000000000000000-mapping.dmp
-
memory/976-60-0x0000000000000000-mapping.dmp
-
memory/1720-63-0x0000000000000000-mapping.dmp
-
memory/1720-65-0x0000000001100000-0x0000000001112000-memory.dmpFilesize
72KB