Analysis
-
max time kernel
149s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 22:01
Static task
static1
Behavioral task
behavioral1
Sample
ecce569ab37bb81362c33374e867303b5927689ad15a54a88e6013a3b85c1d80.exe
Resource
win7-20221111-en
General
-
Target
ecce569ab37bb81362c33374e867303b5927689ad15a54a88e6013a3b85c1d80.exe
-
Size
507KB
-
MD5
dcbd5c74983063308220a5fe8426dad7
-
SHA1
6bcb87b9c97ae777c35ba6f0c3171bc056935714
-
SHA256
ecce569ab37bb81362c33374e867303b5927689ad15a54a88e6013a3b85c1d80
-
SHA512
238d3c4978707dbd5060c18c8b83b91c1aa9e4649430a3116570265e89b7bd0f5ebbe2820267c4e78bf726b48398b0175a44bba6d3b28d73e6689768b1d90d79
-
SSDEEP
12288:5hqxSLo5C1Ps4XhitX+t498svkg44SDxSECrtIf0:5HLmCiIhiXzkg44SDMECrKM
Malware Config
Extracted
asyncrat
0.5.7B
Default
v13cracker.ddns.net:6606
&&pLO91K^RG#!P72IIrjkU^kv9qPNuvKBnGN5#l8^5a9kN9jA9
-
delay
3
-
install
false
-
install_file
system.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\PERICO.exe asyncrat C:\Users\Admin\AppData\Local\Temp\PERICO.exe asyncrat behavioral2/memory/2192-140-0x00000000006C0000-0x00000000006D2000-memory.dmp asyncrat -
Executes dropped EXE 2 IoCs
Processes:
ee.exePERICO.exepid process 2548 ee.exe 2192 PERICO.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ecce569ab37bb81362c33374e867303b5927689ad15a54a88e6013a3b85c1d80.exeee.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation ecce569ab37bb81362c33374e867303b5927689ad15a54a88e6013a3b85c1d80.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation ee.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
ecce569ab37bb81362c33374e867303b5927689ad15a54a88e6013a3b85c1d80.execmd.exeee.exedescription pid process target process PID 4152 wrote to memory of 1448 4152 ecce569ab37bb81362c33374e867303b5927689ad15a54a88e6013a3b85c1d80.exe cmd.exe PID 4152 wrote to memory of 1448 4152 ecce569ab37bb81362c33374e867303b5927689ad15a54a88e6013a3b85c1d80.exe cmd.exe PID 4152 wrote to memory of 1448 4152 ecce569ab37bb81362c33374e867303b5927689ad15a54a88e6013a3b85c1d80.exe cmd.exe PID 1448 wrote to memory of 2548 1448 cmd.exe ee.exe PID 1448 wrote to memory of 2548 1448 cmd.exe ee.exe PID 1448 wrote to memory of 2548 1448 cmd.exe ee.exe PID 2548 wrote to memory of 2192 2548 ee.exe PERICO.exe PID 2548 wrote to memory of 2192 2548 ee.exe PERICO.exe PID 2548 wrote to memory of 2192 2548 ee.exe PERICO.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecce569ab37bb81362c33374e867303b5927689ad15a54a88e6013a3b85c1d80.exe"C:\Users\Admin\AppData\Local\Temp\ecce569ab37bb81362c33374e867303b5927689ad15a54a88e6013a3b85c1d80.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pan.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ee.exeee.exe -plexe -dC:\Users\Admin\AppData\Local\Temp3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PERICO.exe"C:\Users\Admin\AppData\Local\Temp\PERICO.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\PERICO.exeFilesize
45KB
MD55dad596213c35c415955e7cf0206a903
SHA114008918a346472a3ab74df5449039c8f2ce99cc
SHA256778d0168edf4e3d03772d0fbc9e00b59c3e34031d2ebcff8e95b9533afda4e7d
SHA512c1eee7899a7ac62b64674d2aa6c862a56a38d3667342725faaa9575735499d828757cdcf0bfec3fd0b48bb076e3eba17a2ec856b5d343f416dbbbc8d419192d7
-
C:\Users\Admin\AppData\Local\Temp\PERICO.exeFilesize
45KB
MD55dad596213c35c415955e7cf0206a903
SHA114008918a346472a3ab74df5449039c8f2ce99cc
SHA256778d0168edf4e3d03772d0fbc9e00b59c3e34031d2ebcff8e95b9533afda4e7d
SHA512c1eee7899a7ac62b64674d2aa6c862a56a38d3667342725faaa9575735499d828757cdcf0bfec3fd0b48bb076e3eba17a2ec856b5d343f416dbbbc8d419192d7
-
C:\Users\Admin\AppData\Local\Temp\ee.exeFilesize
343KB
MD5fbae2a2bf4ceda0dfde6df65eb49bef2
SHA11fffb3b743e2dc9845d160bad258e3ae68423b01
SHA256caed3b8ea321af9a4bb58624b3f7a4c2da846808a018ed21985b0b7fd005c318
SHA5121eeabd0c87690e97c6df6b0774f36429334ab45eaa14fc73c841606447ee72dd546b60e97806980d26eba1d7ff4093d234e6c1b8703eddda6128690e55ecd1b9
-
C:\Users\Admin\AppData\Local\Temp\ee.exeFilesize
343KB
MD5fbae2a2bf4ceda0dfde6df65eb49bef2
SHA11fffb3b743e2dc9845d160bad258e3ae68423b01
SHA256caed3b8ea321af9a4bb58624b3f7a4c2da846808a018ed21985b0b7fd005c318
SHA5121eeabd0c87690e97c6df6b0774f36429334ab45eaa14fc73c841606447ee72dd546b60e97806980d26eba1d7ff4093d234e6c1b8703eddda6128690e55ecd1b9
-
C:\Users\Admin\AppData\Local\Temp\pan.batFilesize
22B
MD5604cbba2d09ea0f8fdaa4e8610023a86
SHA1d792b17505c6bf6be6b52dc87d31995fdf200f68
SHA256ba080a72ba0ed23e6ce7777e2c805b2b2f862a8f622be829526796ee972acf25
SHA51271a884276edd6a1ce174a6730467aa71faa39300c6040ab16bf85a067ee7eb751c07507d921083ae3f4273514279d5be28acc3c15636519accfd4349f39bfad8
-
memory/1448-132-0x0000000000000000-mapping.dmp
-
memory/2192-137-0x0000000000000000-mapping.dmp
-
memory/2192-140-0x00000000006C0000-0x00000000006D2000-memory.dmpFilesize
72KB
-
memory/2548-134-0x0000000000000000-mapping.dmp