Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
03-01-2023 05:24
Static task
static1
Behavioral task
behavioral1
Sample
52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241.exe
Resource
win10v2004-20221111-en
General
-
Target
52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241.exe
-
Size
87KB
-
MD5
3c6ccbfe897915f0fe6bc34d193bf4a0
-
SHA1
6fe3161ee66e317889066a302474e511220939e7
-
SHA256
52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241
-
SHA512
e0bf1fc11deacb24b5d5de4bcfc522057d1ca1b4866325356b2c9a1f009c6562eee0c0e602478b3639de4beff14997d59a3b428281d9111278544fc5e3199536
-
SSDEEP
1536:Fn6gewiUBl7opCAFqRxzWbg5N0ns1decUmnybgR+fPUSphJ7L2Ut:0gewHgCSC0sXmbgR+fPUSphJ7Ll
Malware Config
Extracted
asyncrat
0.5.7B
System Guard Runtime
85.105.88.221:2531
System Guard Runtime
-
delay
3
-
install
false
-
install_file
System Guard Runtime
-
install_folder
%AppData%
Signatures
-
Async RAT payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/376-63-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/376-64-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/376-65-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/376-66-0x000000000040D0EE-mapping.dmp asyncrat behavioral1/memory/376-68-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/376-70-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\SystemGuardRuntime = "C:\\Users\\Admin\\AppData\\Roaming\\SystemGuardRuntime\\SystemGuardRuntime.exe" powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241.exedescription pid process target process PID 1380 set thread context of 376 1380 52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241.exe RegAsm.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 968 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 968 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241.execmd.exedescription pid process target process PID 1380 wrote to memory of 968 1380 52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241.exe powershell.exe PID 1380 wrote to memory of 968 1380 52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241.exe powershell.exe PID 1380 wrote to memory of 968 1380 52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241.exe powershell.exe PID 1380 wrote to memory of 968 1380 52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241.exe powershell.exe PID 1380 wrote to memory of 524 1380 52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241.exe cmd.exe PID 1380 wrote to memory of 524 1380 52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241.exe cmd.exe PID 1380 wrote to memory of 524 1380 52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241.exe cmd.exe PID 1380 wrote to memory of 524 1380 52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241.exe cmd.exe PID 524 wrote to memory of 756 524 cmd.exe schtasks.exe PID 524 wrote to memory of 756 524 cmd.exe schtasks.exe PID 524 wrote to memory of 756 524 cmd.exe schtasks.exe PID 524 wrote to memory of 756 524 cmd.exe schtasks.exe PID 1380 wrote to memory of 376 1380 52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241.exe RegAsm.exe PID 1380 wrote to memory of 376 1380 52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241.exe RegAsm.exe PID 1380 wrote to memory of 376 1380 52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241.exe RegAsm.exe PID 1380 wrote to memory of 376 1380 52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241.exe RegAsm.exe PID 1380 wrote to memory of 376 1380 52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241.exe RegAsm.exe PID 1380 wrote to memory of 376 1380 52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241.exe RegAsm.exe PID 1380 wrote to memory of 376 1380 52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241.exe RegAsm.exe PID 1380 wrote to memory of 376 1380 52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241.exe RegAsm.exe PID 1380 wrote to memory of 376 1380 52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241.exe RegAsm.exe PID 1380 wrote to memory of 376 1380 52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241.exe RegAsm.exe PID 1380 wrote to memory of 376 1380 52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241.exe RegAsm.exe PID 1380 wrote to memory of 376 1380 52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241.exe"C:\Users\Admin\AppData\Local\Temp\52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SystemGuardRuntime';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SystemGuardRuntime' -Value '"C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe"' -PropertyType 'String'2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd" /C schtasks /create /tn \SystemGuardRuntime /tr "C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \SystemGuardRuntime /tr "C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/376-65-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/376-66-0x000000000040D0EE-mapping.dmp
-
memory/376-70-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/376-68-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/376-63-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/376-60-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/376-61-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/376-64-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/524-58-0x0000000000000000-mapping.dmp
-
memory/756-59-0x0000000000000000-mapping.dmp
-
memory/968-56-0x0000000000000000-mapping.dmp
-
memory/968-72-0x00000000700E0000-0x000000007068B000-memory.dmpFilesize
5.7MB
-
memory/968-73-0x00000000700E0000-0x000000007068B000-memory.dmpFilesize
5.7MB
-
memory/1380-55-0x0000000074F01000-0x0000000074F03000-memory.dmpFilesize
8KB
-
memory/1380-54-0x00000000013A0000-0x00000000013BC000-memory.dmpFilesize
112KB