Analysis
-
max time kernel
189s -
max time network
198s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2022 20:16
Behavioral task
behavioral1
Sample
LocalSecurity.exe
Resource
win7-20221111-en
General
-
Target
LocalSecurity.exe
-
Size
45KB
-
MD5
82e07ce7c9183c9d8098c006a5717ead
-
SHA1
f02f8f5374af906765b5fa1c4758252611767a19
-
SHA256
5dd9cfc17acc9bbbf3b5d24d2ce7044f1b57d712ddb6ecf88eab5da516d972a8
-
SHA512
0572be7700f2fd68acd1404d164184dd72b6c198ab37c164ef3fb1590e8ec9c14f9c08b29cb3b4d1153968fcb6ab7f9d51e128e71967afa472338ae5143a2dce
-
SSDEEP
768:zujYm1TUET1/WUTQV9mo2qzNRt4TOPIvzjbrgX3iau2uCBVgAxm9VldBDZvx:zujYm1TU0I2kE3v3bUXSz29VgRzdvx
Malware Config
Extracted
asyncrat
0.5.7B
Default
127.0.0.1:7707
127.0.0.1:1604
127.0.0.1:8808
127.0.0.1:6606
127.0.0.1:17172
6.tcp.eu.ngrok.io:7707
6.tcp.eu.ngrok.io:1604
6.tcp.eu.ngrok.io:8808
6.tcp.eu.ngrok.io:6606
6.tcp.eu.ngrok.io:17172
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
Runtime Broker.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2700-132-0x00000000006E0000-0x00000000006F2000-memory.dmp asyncrat C:\Users\Admin\AppData\Roaming\Runtime Broker.exe asyncrat C:\Users\Admin\AppData\Roaming\Runtime Broker.exe asyncrat -
Executes dropped EXE 1 IoCs
Processes:
Runtime Broker.exepid process 3560 Runtime Broker.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
LocalSecurity.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation LocalSecurity.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3748 timeout.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exeLocalSecurity.exepid process 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2700 LocalSecurity.exe 2700 LocalSecurity.exe 2700 LocalSecurity.exe 2700 LocalSecurity.exe 2700 LocalSecurity.exe 2700 LocalSecurity.exe 2700 LocalSecurity.exe 2700 LocalSecurity.exe 2700 LocalSecurity.exe 2700 LocalSecurity.exe 2700 LocalSecurity.exe 2700 LocalSecurity.exe 2700 LocalSecurity.exe 2700 LocalSecurity.exe 2700 LocalSecurity.exe 2700 LocalSecurity.exe 2700 LocalSecurity.exe 2700 LocalSecurity.exe 2700 LocalSecurity.exe 2700 LocalSecurity.exe 2700 LocalSecurity.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
taskmgr.exeLocalSecurity.exeRuntime Broker.exedescription pid process Token: SeDebugPrivilege 2088 taskmgr.exe Token: SeSystemProfilePrivilege 2088 taskmgr.exe Token: SeCreateGlobalPrivilege 2088 taskmgr.exe Token: SeDebugPrivilege 2700 LocalSecurity.exe Token: SeDebugPrivilege 3560 Runtime Broker.exe Token: SeDebugPrivilege 3560 Runtime Broker.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe 2088 taskmgr.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
LocalSecurity.execmd.execmd.exedescription pid process target process PID 2700 wrote to memory of 4272 2700 LocalSecurity.exe cmd.exe PID 2700 wrote to memory of 4272 2700 LocalSecurity.exe cmd.exe PID 2700 wrote to memory of 4272 2700 LocalSecurity.exe cmd.exe PID 4272 wrote to memory of 1948 4272 cmd.exe schtasks.exe PID 4272 wrote to memory of 1948 4272 cmd.exe schtasks.exe PID 4272 wrote to memory of 1948 4272 cmd.exe schtasks.exe PID 2700 wrote to memory of 3916 2700 LocalSecurity.exe cmd.exe PID 2700 wrote to memory of 3916 2700 LocalSecurity.exe cmd.exe PID 2700 wrote to memory of 3916 2700 LocalSecurity.exe cmd.exe PID 3916 wrote to memory of 3748 3916 cmd.exe timeout.exe PID 3916 wrote to memory of 3748 3916 cmd.exe timeout.exe PID 3916 wrote to memory of 3748 3916 cmd.exe timeout.exe PID 3916 wrote to memory of 3560 3916 cmd.exe Runtime Broker.exe PID 3916 wrote to memory of 3560 3916 cmd.exe Runtime Broker.exe PID 3916 wrote to memory of 3560 3916 cmd.exe Runtime Broker.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\LocalSecurity.exe"C:\Users\Admin\AppData\Local\Temp\LocalSecurity.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Runtime Broker" /tr '"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Runtime Broker" /tr '"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDB09.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpDB09.tmp.batFilesize
158B
MD54b88ca2adf3b0ee990a3502ece07e8b6
SHA1e45acda33aed6e26ea87f97df9c97eaa81ecec15
SHA2562cae43ad95a748a6ae34d4618f9bcdf6d4c93015632511aa45a6cdc578c702a1
SHA512993d462b4e500841fcd4d1b86587609e692f560ed4e109d829c6f643c5a64bc992ffe444847692402634be33fc224a8913e56fc1641a8a87daed9b1ec828ff26
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exeFilesize
45KB
MD582e07ce7c9183c9d8098c006a5717ead
SHA1f02f8f5374af906765b5fa1c4758252611767a19
SHA2565dd9cfc17acc9bbbf3b5d24d2ce7044f1b57d712ddb6ecf88eab5da516d972a8
SHA5120572be7700f2fd68acd1404d164184dd72b6c198ab37c164ef3fb1590e8ec9c14f9c08b29cb3b4d1153968fcb6ab7f9d51e128e71967afa472338ae5143a2dce
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exeFilesize
45KB
MD582e07ce7c9183c9d8098c006a5717ead
SHA1f02f8f5374af906765b5fa1c4758252611767a19
SHA2565dd9cfc17acc9bbbf3b5d24d2ce7044f1b57d712ddb6ecf88eab5da516d972a8
SHA5120572be7700f2fd68acd1404d164184dd72b6c198ab37c164ef3fb1590e8ec9c14f9c08b29cb3b4d1153968fcb6ab7f9d51e128e71967afa472338ae5143a2dce
-
memory/1948-136-0x0000000000000000-mapping.dmp
-
memory/2700-132-0x00000000006E0000-0x00000000006F2000-memory.dmpFilesize
72KB
-
memory/2700-133-0x00000000055D0000-0x0000000005636000-memory.dmpFilesize
408KB
-
memory/2700-134-0x0000000005740000-0x00000000057DC000-memory.dmpFilesize
624KB
-
memory/3560-140-0x0000000000000000-mapping.dmp
-
memory/3748-139-0x0000000000000000-mapping.dmp
-
memory/3916-137-0x0000000000000000-mapping.dmp
-
memory/4272-135-0x0000000000000000-mapping.dmp