Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 07:11
Behavioral task
behavioral1
Sample
a085750ab9332bd2f0ad4b14ceba4c8f.exe
Resource
win7-20221111-en
General
-
Target
a085750ab9332bd2f0ad4b14ceba4c8f.exe
-
Size
47KB
-
MD5
a085750ab9332bd2f0ad4b14ceba4c8f
-
SHA1
ceb4652807226f27eb9556e2f2c9fd080aa341d8
-
SHA256
ceb08316d1560c7c4f5b6b8b8209b98230fe95480b3a3905d841b313d49216ca
-
SHA512
ad4daed223c00083e6dc0ecaeb2367a0e37d62a26a887be43a523aa6cfbd5e5ed8a740dee69c08b853abb85c9c53ecfa59d3cc2f8266d6a5addfbb5c2bb557f7
-
SSDEEP
768:Bu449TxAwVDWUPOvG6yxmo2qbNDwuNKKKlePIvmp40b+AQXaTPva2CznH3xBDZox:Bu449Tx72vGR2wEuuVu9b+AQarrC7Pda
Malware Config
Extracted
asyncrat
0.5.7B
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
127.0.0.1:51115
127.0.0.1:26993
185.246.220.26:6606
185.246.220.26:7707
185.246.220.26:8808
185.246.220.26:51115
185.246.220.26:26993
5.tcp.ngrok.io:6606
5.tcp.ngrok.io:7707
5.tcp.ngrok.io:8808
5.tcp.ngrok.io:51115
5.tcp.ngrok.io:26993
disownnet.duckdns.org:6606
disownnet.duckdns.org:7707
disownnet.duckdns.org:8808
disownnet.duckdns.org:51115
disownnet.duckdns.org:26993
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
services.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4152-132-0x0000000000B80000-0x0000000000B92000-memory.dmp asyncrat C:\Users\Admin\AppData\Roaming\services.exe asyncrat C:\Users\Admin\AppData\Roaming\services.exe asyncrat -
Executes dropped EXE 1 IoCs
Processes:
services.exepid process 1132 services.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a085750ab9332bd2f0ad4b14ceba4c8f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation a085750ab9332bd2f0ad4b14ceba4c8f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3268 timeout.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
a085750ab9332bd2f0ad4b14ceba4c8f.exepid process 4152 a085750ab9332bd2f0ad4b14ceba4c8f.exe 4152 a085750ab9332bd2f0ad4b14ceba4c8f.exe 4152 a085750ab9332bd2f0ad4b14ceba4c8f.exe 4152 a085750ab9332bd2f0ad4b14ceba4c8f.exe 4152 a085750ab9332bd2f0ad4b14ceba4c8f.exe 4152 a085750ab9332bd2f0ad4b14ceba4c8f.exe 4152 a085750ab9332bd2f0ad4b14ceba4c8f.exe 4152 a085750ab9332bd2f0ad4b14ceba4c8f.exe 4152 a085750ab9332bd2f0ad4b14ceba4c8f.exe 4152 a085750ab9332bd2f0ad4b14ceba4c8f.exe 4152 a085750ab9332bd2f0ad4b14ceba4c8f.exe 4152 a085750ab9332bd2f0ad4b14ceba4c8f.exe 4152 a085750ab9332bd2f0ad4b14ceba4c8f.exe 4152 a085750ab9332bd2f0ad4b14ceba4c8f.exe 4152 a085750ab9332bd2f0ad4b14ceba4c8f.exe 4152 a085750ab9332bd2f0ad4b14ceba4c8f.exe 4152 a085750ab9332bd2f0ad4b14ceba4c8f.exe 4152 a085750ab9332bd2f0ad4b14ceba4c8f.exe 4152 a085750ab9332bd2f0ad4b14ceba4c8f.exe 4152 a085750ab9332bd2f0ad4b14ceba4c8f.exe 4152 a085750ab9332bd2f0ad4b14ceba4c8f.exe 4152 a085750ab9332bd2f0ad4b14ceba4c8f.exe 4152 a085750ab9332bd2f0ad4b14ceba4c8f.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
a085750ab9332bd2f0ad4b14ceba4c8f.exeservices.exedescription pid process Token: SeDebugPrivilege 4152 a085750ab9332bd2f0ad4b14ceba4c8f.exe Token: SeDebugPrivilege 1132 services.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
a085750ab9332bd2f0ad4b14ceba4c8f.execmd.execmd.exedescription pid process target process PID 4152 wrote to memory of 4392 4152 a085750ab9332bd2f0ad4b14ceba4c8f.exe cmd.exe PID 4152 wrote to memory of 4392 4152 a085750ab9332bd2f0ad4b14ceba4c8f.exe cmd.exe PID 4152 wrote to memory of 4392 4152 a085750ab9332bd2f0ad4b14ceba4c8f.exe cmd.exe PID 4152 wrote to memory of 4108 4152 a085750ab9332bd2f0ad4b14ceba4c8f.exe cmd.exe PID 4152 wrote to memory of 4108 4152 a085750ab9332bd2f0ad4b14ceba4c8f.exe cmd.exe PID 4152 wrote to memory of 4108 4152 a085750ab9332bd2f0ad4b14ceba4c8f.exe cmd.exe PID 4108 wrote to memory of 3268 4108 cmd.exe timeout.exe PID 4108 wrote to memory of 3268 4108 cmd.exe timeout.exe PID 4108 wrote to memory of 3268 4108 cmd.exe timeout.exe PID 4392 wrote to memory of 4752 4392 cmd.exe schtasks.exe PID 4392 wrote to memory of 4752 4392 cmd.exe schtasks.exe PID 4392 wrote to memory of 4752 4392 cmd.exe schtasks.exe PID 4108 wrote to memory of 1132 4108 cmd.exe services.exe PID 4108 wrote to memory of 1132 4108 cmd.exe services.exe PID 4108 wrote to memory of 1132 4108 cmd.exe services.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a085750ab9332bd2f0ad4b14ceba4c8f.exe"C:\Users\Admin\AppData\Local\Temp\a085750ab9332bd2f0ad4b14ceba4c8f.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services" /tr '"C:\Users\Admin\AppData\Roaming\services.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services" /tr '"C:\Users\Admin\AppData\Roaming\services.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9791.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\services.exe"C:\Users\Admin\AppData\Roaming\services.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp9791.tmp.batFilesize
152B
MD5f6fae4bd7eb6968f280befeb085efdee
SHA12fe4d62386e0ea6da3ec208576c6d38ae6a2ae02
SHA25622c4f3b9b42218317c59ea53b7839f174c59ecf21beba251f9561cf6cc59f44d
SHA51226875515fdb495d234b3c990025488f8e246470454459f52081461e81c6c2905dcee2f6bf5ad560dadae58b33094447d36a4441a48bda4b6f2425e422d3b3d0d
-
C:\Users\Admin\AppData\Roaming\services.exeFilesize
47KB
MD5a085750ab9332bd2f0ad4b14ceba4c8f
SHA1ceb4652807226f27eb9556e2f2c9fd080aa341d8
SHA256ceb08316d1560c7c4f5b6b8b8209b98230fe95480b3a3905d841b313d49216ca
SHA512ad4daed223c00083e6dc0ecaeb2367a0e37d62a26a887be43a523aa6cfbd5e5ed8a740dee69c08b853abb85c9c53ecfa59d3cc2f8266d6a5addfbb5c2bb557f7
-
C:\Users\Admin\AppData\Roaming\services.exeFilesize
47KB
MD5a085750ab9332bd2f0ad4b14ceba4c8f
SHA1ceb4652807226f27eb9556e2f2c9fd080aa341d8
SHA256ceb08316d1560c7c4f5b6b8b8209b98230fe95480b3a3905d841b313d49216ca
SHA512ad4daed223c00083e6dc0ecaeb2367a0e37d62a26a887be43a523aa6cfbd5e5ed8a740dee69c08b853abb85c9c53ecfa59d3cc2f8266d6a5addfbb5c2bb557f7
-
memory/1132-139-0x0000000000000000-mapping.dmp
-
memory/3268-137-0x0000000000000000-mapping.dmp
-
memory/4108-135-0x0000000000000000-mapping.dmp
-
memory/4152-132-0x0000000000B80000-0x0000000000B92000-memory.dmpFilesize
72KB
-
memory/4152-133-0x0000000005650000-0x00000000056EC000-memory.dmpFilesize
624KB
-
memory/4392-134-0x0000000000000000-mapping.dmp
-
memory/4752-138-0x0000000000000000-mapping.dmp