Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
21-01-2023 00:01
Behavioral task
behavioral1
Sample
aws.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
aws.exe
Resource
win10v2004-20221111-en
General
-
Target
aws.exe
-
Size
85KB
-
MD5
63fb22e516c5c5f243b06b35883956f9
-
SHA1
b915cdc9c0a9f7afe7a28d8a47e778a2b99f8374
-
SHA256
14d3276ca733ff2efebeb3208f7e233da4df8735514c216e5fa52a83e9110f8b
-
SHA512
c012d8ac37a2742218c14812e50cb456ed3fe2df954059ce221a5c971746f74c4e940e37eb81443dd10df7a430e227b039a33d8264bbf42874d9076737808955
-
SSDEEP
1536:Yr4lbI9/CJxFz3FI8Cwof4wJ9JDUiPDMNkGbbawfpaSGRZVclN30/yRmP:O41I9/CJxFz3FI8Cwo7J7DRDMOGbbagG
Malware Config
Extracted
asyncrat
1.0.7
Default
192.253.245.243:7771
DcRatMutex_qwqdanchun
-
delay
1
-
install
true
-
install_file
Windows Defender Security.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Windows Defender Security.exe asyncrat C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe asyncrat C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe asyncrat behavioral1/memory/472-64-0x0000000000EE0000-0x0000000000EF6000-memory.dmp asyncrat -
Executes dropped EXE 3 IoCs
Processes:
Windows Security.exeWindows Defender Security.exeWindows Security Service.exepid process 276 Windows Security.exe 472 Windows Defender Security.exe 1816 Windows Security Service.exe -
Loads dropped DLL 3 IoCs
Processes:
aws.exeWindows Security.exepid process 1700 aws.exe 1700 aws.exe 276 Windows Security.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Security Service = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Security Windows Security Windows Security Service\\Windows Security Service.exe" powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
Windows Security.exeWindows Security Service.exepid process 276 Windows Security.exe 1816 Windows Security Service.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Windows Defender Security.exepid process 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe 472 Windows Defender Security.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Windows Defender Security.exepowershell.exedescription pid process Token: SeDebugPrivilege 472 Windows Defender Security.exe Token: SeDebugPrivilege 472 Windows Defender Security.exe Token: SeDebugPrivilege 1852 powershell.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
aws.exeWindows Security.exedescription pid process target process PID 1700 wrote to memory of 276 1700 aws.exe Windows Security.exe PID 1700 wrote to memory of 276 1700 aws.exe Windows Security.exe PID 1700 wrote to memory of 276 1700 aws.exe Windows Security.exe PID 1700 wrote to memory of 276 1700 aws.exe Windows Security.exe PID 1700 wrote to memory of 472 1700 aws.exe Windows Defender Security.exe PID 1700 wrote to memory of 472 1700 aws.exe Windows Defender Security.exe PID 1700 wrote to memory of 472 1700 aws.exe Windows Defender Security.exe PID 1700 wrote to memory of 472 1700 aws.exe Windows Defender Security.exe PID 276 wrote to memory of 1852 276 Windows Security.exe powershell.exe PID 276 wrote to memory of 1852 276 Windows Security.exe powershell.exe PID 276 wrote to memory of 1852 276 Windows Security.exe powershell.exe PID 276 wrote to memory of 1852 276 Windows Security.exe powershell.exe PID 276 wrote to memory of 1816 276 Windows Security.exe Windows Security Service.exe PID 276 wrote to memory of 1816 276 Windows Security.exe Windows Security Service.exe PID 276 wrote to memory of 1816 276 Windows Security.exe Windows Security Service.exe PID 276 wrote to memory of 1816 276 Windows Security.exe Windows Security Service.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aws.exe"C:\Users\Admin\AppData\Local\Temp\aws.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Security.exe"C:\Users\Admin\AppData\Roaming\Windows Security.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows Security Service';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows Security Service' -Value '"C:\Users\Admin\AppData\Roaming\Windows Security Windows Security Windows Security Service\Windows Security Service.exe"' -PropertyType 'String'3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Windows Security Windows Security Windows Security Service\Windows Security Service.exe"C:\Users\Admin\AppData\Roaming\Windows Security Windows Security Windows Security Service\Windows Security Service.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
-
C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe"C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Windows Defender Security.exeFilesize
63KB
MD574254d6ccfbbc7f1696022dde5f9fee9
SHA1e2ed9d4754f788d85d4d73f5a67a6b19b4a2bbb4
SHA25626e76180b530f6e363624dd6a38c10a9fe0fd91abdd513c618f9b39ea24abec0
SHA512ec2109e8d2182aac33668fa156b0e10f7f5ea3829bd19207805df052f4f789e564e387fb3fef975d2a05a0cda9427b9c1dc4f01e78e58f60a0937548715f7831
-
C:\Users\Admin\AppData\Roaming\Windows Defender Security.exeFilesize
63KB
MD574254d6ccfbbc7f1696022dde5f9fee9
SHA1e2ed9d4754f788d85d4d73f5a67a6b19b4a2bbb4
SHA25626e76180b530f6e363624dd6a38c10a9fe0fd91abdd513c618f9b39ea24abec0
SHA512ec2109e8d2182aac33668fa156b0e10f7f5ea3829bd19207805df052f4f789e564e387fb3fef975d2a05a0cda9427b9c1dc4f01e78e58f60a0937548715f7831
-
C:\Users\Admin\AppData\Roaming\Windows Security Windows Security Windows Security Service\Windows Security Service.exeFilesize
42.3MB
MD5b5a5ca7c1241866fb498abe51574a4da
SHA12b11ad733a68470ca2e304cd732b69a80baa0f68
SHA256c6f2e5838ba397b64febc92fa4e567d9d1440a2ff9376bd3fdd745ad95a04b69
SHA512e85003d98f5c44508661196a8811b6ba804d03a4aa68144d847c3793c2d35507120c707975e418eb288122877ce50f0eaffa97d1c768dfcde71d1f061926dcfc
-
C:\Users\Admin\AppData\Roaming\Windows Security Windows Security Windows Security Service\Windows Security Service.exeFilesize
42.3MB
MD5b5a5ca7c1241866fb498abe51574a4da
SHA12b11ad733a68470ca2e304cd732b69a80baa0f68
SHA256c6f2e5838ba397b64febc92fa4e567d9d1440a2ff9376bd3fdd745ad95a04b69
SHA512e85003d98f5c44508661196a8811b6ba804d03a4aa68144d847c3793c2d35507120c707975e418eb288122877ce50f0eaffa97d1c768dfcde71d1f061926dcfc
-
C:\Users\Admin\AppData\Roaming\Windows Security.exeFilesize
10KB
MD5bd222e0e523e4c9a20ddb7625a44b543
SHA163caaa470b36d26eb2f22728568a2c974221e2ad
SHA25619825a869b9085d7c2ab5f634fa72b9a0b4779c9d9194e1b408e147309bcde7b
SHA51203d78834d4ac7b78f33d3d694528ba1e34cb0f91f9567a1b26f39ec8030043c59c5248ad623718071e779fea892016c303cd10711c51d66d7cfdc06ea499916e
-
C:\Users\Admin\AppData\Roaming\Windows Security.exeFilesize
10KB
MD5bd222e0e523e4c9a20ddb7625a44b543
SHA163caaa470b36d26eb2f22728568a2c974221e2ad
SHA25619825a869b9085d7c2ab5f634fa72b9a0b4779c9d9194e1b408e147309bcde7b
SHA51203d78834d4ac7b78f33d3d694528ba1e34cb0f91f9567a1b26f39ec8030043c59c5248ad623718071e779fea892016c303cd10711c51d66d7cfdc06ea499916e
-
\Users\Admin\AppData\Roaming\Windows Defender Security.exeFilesize
63KB
MD574254d6ccfbbc7f1696022dde5f9fee9
SHA1e2ed9d4754f788d85d4d73f5a67a6b19b4a2bbb4
SHA25626e76180b530f6e363624dd6a38c10a9fe0fd91abdd513c618f9b39ea24abec0
SHA512ec2109e8d2182aac33668fa156b0e10f7f5ea3829bd19207805df052f4f789e564e387fb3fef975d2a05a0cda9427b9c1dc4f01e78e58f60a0937548715f7831
-
\Users\Admin\AppData\Roaming\Windows Security Windows Security Windows Security Service\Windows Security Service.exeFilesize
42.3MB
MD5b5a5ca7c1241866fb498abe51574a4da
SHA12b11ad733a68470ca2e304cd732b69a80baa0f68
SHA256c6f2e5838ba397b64febc92fa4e567d9d1440a2ff9376bd3fdd745ad95a04b69
SHA512e85003d98f5c44508661196a8811b6ba804d03a4aa68144d847c3793c2d35507120c707975e418eb288122877ce50f0eaffa97d1c768dfcde71d1f061926dcfc
-
\Users\Admin\AppData\Roaming\Windows Security.exeFilesize
10KB
MD5bd222e0e523e4c9a20ddb7625a44b543
SHA163caaa470b36d26eb2f22728568a2c974221e2ad
SHA25619825a869b9085d7c2ab5f634fa72b9a0b4779c9d9194e1b408e147309bcde7b
SHA51203d78834d4ac7b78f33d3d694528ba1e34cb0f91f9567a1b26f39ec8030043c59c5248ad623718071e779fea892016c303cd10711c51d66d7cfdc06ea499916e
-
memory/276-65-0x0000000000060000-0x0000000000068000-memory.dmpFilesize
32KB
-
memory/276-56-0x0000000000000000-mapping.dmp
-
memory/472-59-0x0000000000000000-mapping.dmp
-
memory/472-64-0x0000000000EE0000-0x0000000000EF6000-memory.dmpFilesize
88KB
-
memory/1700-63-0x0000000074A80000-0x000000007502B000-memory.dmpFilesize
5.7MB
-
memory/1700-54-0x0000000075FF1000-0x0000000075FF3000-memory.dmpFilesize
8KB
-
memory/1816-70-0x0000000000000000-mapping.dmp
-
memory/1816-73-0x0000000000FF0000-0x0000000000FF8000-memory.dmpFilesize
32KB
-
memory/1852-67-0x0000000000000000-mapping.dmp
-
memory/1852-75-0x000000006F6A0000-0x000000006FC4B000-memory.dmpFilesize
5.7MB
-
memory/1852-76-0x000000006F6A0000-0x000000006FC4B000-memory.dmpFilesize
5.7MB