Analysis
-
max time kernel
178s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 22:01
Static task
static1
Behavioral task
behavioral1
Sample
1f349eb4f2907662b86d1f94cea26d2857e8728ef13228cd7cf48c367ba118a4.exe
Resource
win7-20221111-en
General
-
Target
1f349eb4f2907662b86d1f94cea26d2857e8728ef13228cd7cf48c367ba118a4.exe
-
Size
507KB
-
MD5
d8851e861c60745223c8545d327e7c02
-
SHA1
68a2772a8750ac4ce84b206c6a79502a4864743a
-
SHA256
1f349eb4f2907662b86d1f94cea26d2857e8728ef13228cd7cf48c367ba118a4
-
SHA512
528b54ecacc6f7b01a47d0404b960dfd0d3270131ef0744c067126714052c3e05d7e9d9ee377e72e333822a8d3b76634ef6f33f5d8882d6aced483b88d3a0520
-
SSDEEP
12288:5hqxSLo5C1Ps4XhitX+t498qkgj4SRW+ftfeGF034r+:5HLmCiIhiX6A4S9ft2BIr+
Malware Config
Extracted
asyncrat
0.5.7B
Default
v13cracker.ddns.net:6606
&&pLO91K^RG#!P72IIrjkU^kv9qPNuvKBnGN5#l8^5a9kN9jA9
-
delay
3
-
install
false
-
install_file
system.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\jp.exe asyncrat C:\Users\Admin\AppData\Local\Temp\jp.exe asyncrat behavioral2/memory/4324-140-0x0000000000FC0000-0x0000000000FD2000-memory.dmp asyncrat -
Executes dropped EXE 2 IoCs
Processes:
jpg.exejp.exepid process 3656 jpg.exe 4324 jp.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1f349eb4f2907662b86d1f94cea26d2857e8728ef13228cd7cf48c367ba118a4.exejpg.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 1f349eb4f2907662b86d1f94cea26d2857e8728ef13228cd7cf48c367ba118a4.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation jpg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1f349eb4f2907662b86d1f94cea26d2857e8728ef13228cd7cf48c367ba118a4.execmd.exejpg.exedescription pid process target process PID 1584 wrote to memory of 116 1584 1f349eb4f2907662b86d1f94cea26d2857e8728ef13228cd7cf48c367ba118a4.exe cmd.exe PID 1584 wrote to memory of 116 1584 1f349eb4f2907662b86d1f94cea26d2857e8728ef13228cd7cf48c367ba118a4.exe cmd.exe PID 1584 wrote to memory of 116 1584 1f349eb4f2907662b86d1f94cea26d2857e8728ef13228cd7cf48c367ba118a4.exe cmd.exe PID 116 wrote to memory of 3656 116 cmd.exe jpg.exe PID 116 wrote to memory of 3656 116 cmd.exe jpg.exe PID 116 wrote to memory of 3656 116 cmd.exe jpg.exe PID 3656 wrote to memory of 4324 3656 jpg.exe jp.exe PID 3656 wrote to memory of 4324 3656 jpg.exe jp.exe PID 3656 wrote to memory of 4324 3656 jpg.exe jp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f349eb4f2907662b86d1f94cea26d2857e8728ef13228cd7cf48c367ba118a4.exe"C:\Users\Admin\AppData\Local\Temp\1f349eb4f2907662b86d1f94cea26d2857e8728ef13228cd7cf48c367ba118a4.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\an.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jpg.exejpg.exe -pjavipg* -dC:\Users\Admin\AppData\Local\Temp3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jp.exe"C:\Users\Admin\AppData\Local\Temp\jp.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\an.batFilesize
26B
MD5e7b6794b26ecbf0b80a8fb738e821998
SHA1cf0fe55901d197d94148b50c4cec4a21dbfd61c4
SHA2569516c358b7468f8796a275f7f8cc47398f74ac8711d8d2c8e7f40c44ffe3c6e9
SHA512d25dca72d5d35c537d56124fab49519de5272a1993c9cea4ce02f3327e80b29e650138594f2b5967825d080ebff16e25ddf4a331ef5cd6d859efc7b52faf41ac
-
C:\Users\Admin\AppData\Local\Temp\jp.exeFilesize
45KB
MD5423bed330652033effb3a81b85a6002e
SHA164dc00d9c943bfb796f443b7161ee5f37318fef5
SHA2566a420a2236fd1f7286217ec66a0bc5f269ae8d4e4b31506209fecefb811e43d7
SHA51247cdcce48f8aa3654eadc41d3383c0a9726765ea7fe1ed2a03c1f2d0f1102096615b8afab929147387f938b4bb027b72d8bf946e956b862942e7986f9ddfa992
-
C:\Users\Admin\AppData\Local\Temp\jp.exeFilesize
45KB
MD5423bed330652033effb3a81b85a6002e
SHA164dc00d9c943bfb796f443b7161ee5f37318fef5
SHA2566a420a2236fd1f7286217ec66a0bc5f269ae8d4e4b31506209fecefb811e43d7
SHA51247cdcce48f8aa3654eadc41d3383c0a9726765ea7fe1ed2a03c1f2d0f1102096615b8afab929147387f938b4bb027b72d8bf946e956b862942e7986f9ddfa992
-
C:\Users\Admin\AppData\Local\Temp\jpg.exeFilesize
343KB
MD51399db959053a18752efaea98959d26b
SHA10420ffd1c1cc8ddfb3afc662b96eed1aedb0fdd3
SHA2565587ef2ef4c44df541dce9134336b25c2641ef5dc4e014794a31dccedc6900e3
SHA51237310b82022cc4c5a62fca7102d281b4d183dd30cf2221f1d0a40bf74bdbf634a60c8e7c05df9ad762ebe74fc1fa289482e9475d2c4d1f661452c2a57c51e1d4
-
C:\Users\Admin\AppData\Local\Temp\jpg.exeFilesize
343KB
MD51399db959053a18752efaea98959d26b
SHA10420ffd1c1cc8ddfb3afc662b96eed1aedb0fdd3
SHA2565587ef2ef4c44df541dce9134336b25c2641ef5dc4e014794a31dccedc6900e3
SHA51237310b82022cc4c5a62fca7102d281b4d183dd30cf2221f1d0a40bf74bdbf634a60c8e7c05df9ad762ebe74fc1fa289482e9475d2c4d1f661452c2a57c51e1d4
-
memory/116-132-0x0000000000000000-mapping.dmp
-
memory/3656-134-0x0000000000000000-mapping.dmp
-
memory/4324-137-0x0000000000000000-mapping.dmp
-
memory/4324-140-0x0000000000FC0000-0x0000000000FD2000-memory.dmpFilesize
72KB