Analysis
-
max time kernel
150s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-01-2023 20:32
Static task
static1
Behavioral task
behavioral1
Sample
119996da24b3935ec811bcd72583b6d1cd5205097265100c20a6ce773b79fb28.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
119996da24b3935ec811bcd72583b6d1cd5205097265100c20a6ce773b79fb28.exe
Resource
win10v2004-20220812-en
General
-
Target
119996da24b3935ec811bcd72583b6d1cd5205097265100c20a6ce773b79fb28.exe
-
Size
181KB
-
MD5
35e7cba9da6186aabcbeb680b9e62a0f
-
SHA1
a0aa491f942b485f15a7f59104e26beac1033591
-
SHA256
119996da24b3935ec811bcd72583b6d1cd5205097265100c20a6ce773b79fb28
-
SHA512
64d079e1c3315cd77a018c6b998a5e9a86b45f11565dc00f4f6da737808aab9f5075ba6e96eb915940232333d8706703c80844eb7d86d0585b066bef5c899e12
-
SSDEEP
3072:CmwGb4OB7fOBUPH354yZqpQVGGRGyAiMeFNNiE7TE8pkkN2eJ1BMZbQX9nMs:CmlfB7zPpypQVGGR6IN3I8pky2kEg9n
Malware Config
Extracted
asyncrat
0.5.7B
SYSTEM
UtilityService.ignorelist.com:9696
UtilityService.ignorelist.com:1738
UtilityService.ignorelist.com:2269
SGFSHJFgkjdsfadfurgGW
-
delay
3
-
install
true
-
install_file
Boot Utility Service.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1120-56-0x0000000000940000-0x0000000000964000-memory.dmp asyncrat behavioral1/memory/1120-58-0x0000000000990000-0x00000000009AE000-memory.dmp asyncrat -
Core1 .NET packer 1 IoCs
Detects packer/loader used by .NET malware.
Processes:
resource yara_rule behavioral1/memory/1120-56-0x0000000000940000-0x0000000000964000-memory.dmp Core1 -
Executes dropped EXE 1 IoCs
Processes:
Boot Utility Service.exepid process 1388 Boot Utility Service.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1596 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1096 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
119996da24b3935ec811bcd72583b6d1cd5205097265100c20a6ce773b79fb28.exepid process 1120 119996da24b3935ec811bcd72583b6d1cd5205097265100c20a6ce773b79fb28.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
119996da24b3935ec811bcd72583b6d1cd5205097265100c20a6ce773b79fb28.exeBoot Utility Service.exedescription pid process Token: SeDebugPrivilege 1120 119996da24b3935ec811bcd72583b6d1cd5205097265100c20a6ce773b79fb28.exe Token: SeDebugPrivilege 1388 Boot Utility Service.exe Token: SeDebugPrivilege 1388 Boot Utility Service.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
119996da24b3935ec811bcd72583b6d1cd5205097265100c20a6ce773b79fb28.execmd.execmd.exedescription pid process target process PID 1120 wrote to memory of 1664 1120 119996da24b3935ec811bcd72583b6d1cd5205097265100c20a6ce773b79fb28.exe cmd.exe PID 1120 wrote to memory of 1664 1120 119996da24b3935ec811bcd72583b6d1cd5205097265100c20a6ce773b79fb28.exe cmd.exe PID 1120 wrote to memory of 1664 1120 119996da24b3935ec811bcd72583b6d1cd5205097265100c20a6ce773b79fb28.exe cmd.exe PID 1120 wrote to memory of 1596 1120 119996da24b3935ec811bcd72583b6d1cd5205097265100c20a6ce773b79fb28.exe cmd.exe PID 1120 wrote to memory of 1596 1120 119996da24b3935ec811bcd72583b6d1cd5205097265100c20a6ce773b79fb28.exe cmd.exe PID 1120 wrote to memory of 1596 1120 119996da24b3935ec811bcd72583b6d1cd5205097265100c20a6ce773b79fb28.exe cmd.exe PID 1664 wrote to memory of 1728 1664 cmd.exe schtasks.exe PID 1664 wrote to memory of 1728 1664 cmd.exe schtasks.exe PID 1664 wrote to memory of 1728 1664 cmd.exe schtasks.exe PID 1596 wrote to memory of 1096 1596 cmd.exe timeout.exe PID 1596 wrote to memory of 1096 1596 cmd.exe timeout.exe PID 1596 wrote to memory of 1096 1596 cmd.exe timeout.exe PID 1596 wrote to memory of 1388 1596 cmd.exe Boot Utility Service.exe PID 1596 wrote to memory of 1388 1596 cmd.exe Boot Utility Service.exe PID 1596 wrote to memory of 1388 1596 cmd.exe Boot Utility Service.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\119996da24b3935ec811bcd72583b6d1cd5205097265100c20a6ce773b79fb28.exe"C:\Users\Admin\AppData\Local\Temp\119996da24b3935ec811bcd72583b6d1cd5205097265100c20a6ce773b79fb28.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Boot Utility Service" /tr '"C:\Users\Admin\AppData\Roaming\Boot Utility Service.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Boot Utility Service" /tr '"C:\Users\Admin\AppData\Roaming\Boot Utility Service.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp93A9.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\Boot Utility Service.exe"C:\Users\Admin\AppData\Roaming\Boot Utility Service.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp93A9.tmp.batFilesize
164B
MD59c52ed747baafcf8e2d3971e86ce9322
SHA178750acf38b67538562fd6eef93a282a35511a50
SHA25677b891ba50e1d65bac7c94e739742bb4ee514e5203e2ed1e7eabb419fd2f7161
SHA512469331972296a5195fe1b2d20307df7374c61d047cfab6749a4165a0152042c3efd0aaf390a9d01100c1ac041be475da45fb508552c60b4a68e89e9c61ab2f66
-
C:\Users\Admin\AppData\Roaming\Boot Utility Service.exeFilesize
181KB
MD535e7cba9da6186aabcbeb680b9e62a0f
SHA1a0aa491f942b485f15a7f59104e26beac1033591
SHA256119996da24b3935ec811bcd72583b6d1cd5205097265100c20a6ce773b79fb28
SHA51264d079e1c3315cd77a018c6b998a5e9a86b45f11565dc00f4f6da737808aab9f5075ba6e96eb915940232333d8706703c80844eb7d86d0585b066bef5c899e12
-
C:\Users\Admin\AppData\Roaming\Boot Utility Service.exeFilesize
181KB
MD535e7cba9da6186aabcbeb680b9e62a0f
SHA1a0aa491f942b485f15a7f59104e26beac1033591
SHA256119996da24b3935ec811bcd72583b6d1cd5205097265100c20a6ce773b79fb28
SHA51264d079e1c3315cd77a018c6b998a5e9a86b45f11565dc00f4f6da737808aab9f5075ba6e96eb915940232333d8706703c80844eb7d86d0585b066bef5c899e12
-
\Users\Admin\AppData\Roaming\Boot Utility Service.exeFilesize
181KB
MD535e7cba9da6186aabcbeb680b9e62a0f
SHA1a0aa491f942b485f15a7f59104e26beac1033591
SHA256119996da24b3935ec811bcd72583b6d1cd5205097265100c20a6ce773b79fb28
SHA51264d079e1c3315cd77a018c6b998a5e9a86b45f11565dc00f4f6da737808aab9f5075ba6e96eb915940232333d8706703c80844eb7d86d0585b066bef5c899e12
-
memory/1096-64-0x0000000000000000-mapping.dmp
-
memory/1120-58-0x0000000000990000-0x00000000009AE000-memory.dmpFilesize
120KB
-
memory/1120-59-0x000007FEFBCC1000-0x000007FEFBCC3000-memory.dmpFilesize
8KB
-
memory/1120-54-0x000000013F420000-0x000000013F452000-memory.dmpFilesize
200KB
-
memory/1120-57-0x0000000000160000-0x0000000000168000-memory.dmpFilesize
32KB
-
memory/1120-56-0x0000000000940000-0x0000000000964000-memory.dmpFilesize
144KB
-
memory/1120-55-0x0000000000600000-0x0000000000624000-memory.dmpFilesize
144KB
-
memory/1388-66-0x0000000000000000-mapping.dmp
-
memory/1388-69-0x000000013FC00000-0x000000013FC32000-memory.dmpFilesize
200KB
-
memory/1596-61-0x0000000000000000-mapping.dmp
-
memory/1664-60-0x0000000000000000-mapping.dmp
-
memory/1728-62-0x0000000000000000-mapping.dmp