Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
02-02-2023 16:57
Behavioral task
behavioral1
Sample
0x00090000000122f1-69.exe
Resource
win7-20220812-en
General
-
Target
0x00090000000122f1-69.exe
-
Size
45KB
-
MD5
4b3284d70137fee18f1068d0b3ec3819
-
SHA1
24a47e72ea5f76bbc37b0281bb24508b631157de
-
SHA256
8ae63775359fa46ab17567259a6a504c60113868d706c1649b7e404aa0343010
-
SHA512
693cb57ee01b48daa08c3165187d29aad402e8fe8341e1050c0e6bfc7463b2723a6e5c6af762457cffee8ae2836fb3c7f3a73dfdd1ff50d51abc1e8f970d525d
-
SSDEEP
768:zuQSNTvEEaBrWUXQd5mo2qmibq/aSh6PIRzjbfgX3imDRq/JyfBDZvx:zuQSNT8542x4qjDR3boXSgRndvx
Malware Config
Extracted
asyncrat
0.5.7B
Default
135.148.113.4:6789
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
Service Host.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2620-132-0x0000000000A40000-0x0000000000A52000-memory.dmp asyncrat C:\Users\Admin\AppData\Roaming\Service Host.exe asyncrat C:\Users\Admin\AppData\Roaming\Service Host.exe asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0x00090000000122f1-69.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 0x00090000000122f1-69.exe -
Executes dropped EXE 1 IoCs
Processes:
Service Host.exepid process 4020 Service Host.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4900 timeout.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
0x00090000000122f1-69.exepid process 2620 0x00090000000122f1-69.exe 2620 0x00090000000122f1-69.exe 2620 0x00090000000122f1-69.exe 2620 0x00090000000122f1-69.exe 2620 0x00090000000122f1-69.exe 2620 0x00090000000122f1-69.exe 2620 0x00090000000122f1-69.exe 2620 0x00090000000122f1-69.exe 2620 0x00090000000122f1-69.exe 2620 0x00090000000122f1-69.exe 2620 0x00090000000122f1-69.exe 2620 0x00090000000122f1-69.exe 2620 0x00090000000122f1-69.exe 2620 0x00090000000122f1-69.exe 2620 0x00090000000122f1-69.exe 2620 0x00090000000122f1-69.exe 2620 0x00090000000122f1-69.exe 2620 0x00090000000122f1-69.exe 2620 0x00090000000122f1-69.exe 2620 0x00090000000122f1-69.exe 2620 0x00090000000122f1-69.exe 2620 0x00090000000122f1-69.exe 2620 0x00090000000122f1-69.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
0x00090000000122f1-69.exeService Host.exedescription pid process Token: SeDebugPrivilege 2620 0x00090000000122f1-69.exe Token: SeDebugPrivilege 4020 Service Host.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
0x00090000000122f1-69.execmd.execmd.exedescription pid process target process PID 2620 wrote to memory of 4176 2620 0x00090000000122f1-69.exe cmd.exe PID 2620 wrote to memory of 4176 2620 0x00090000000122f1-69.exe cmd.exe PID 2620 wrote to memory of 4176 2620 0x00090000000122f1-69.exe cmd.exe PID 2620 wrote to memory of 1752 2620 0x00090000000122f1-69.exe cmd.exe PID 2620 wrote to memory of 1752 2620 0x00090000000122f1-69.exe cmd.exe PID 2620 wrote to memory of 1752 2620 0x00090000000122f1-69.exe cmd.exe PID 4176 wrote to memory of 2456 4176 cmd.exe schtasks.exe PID 4176 wrote to memory of 2456 4176 cmd.exe schtasks.exe PID 4176 wrote to memory of 2456 4176 cmd.exe schtasks.exe PID 1752 wrote to memory of 4900 1752 cmd.exe timeout.exe PID 1752 wrote to memory of 4900 1752 cmd.exe timeout.exe PID 1752 wrote to memory of 4900 1752 cmd.exe timeout.exe PID 1752 wrote to memory of 4020 1752 cmd.exe Service Host.exe PID 1752 wrote to memory of 4020 1752 cmd.exe Service Host.exe PID 1752 wrote to memory of 4020 1752 cmd.exe Service Host.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x00090000000122f1-69.exe"C:\Users\Admin\AppData\Local\Temp\0x00090000000122f1-69.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Service Host" /tr '"C:\Users\Admin\AppData\Roaming\Service Host.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Service Host" /tr '"C:\Users\Admin\AppData\Roaming\Service Host.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7E4D.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\Service Host.exe"C:\Users\Admin\AppData\Roaming\Service Host.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp7E4D.tmp.batFilesize
156B
MD55fc6d68a8968670ada6bb2a9700ab841
SHA1df708fc4bd3e87cc88b951153ae7cc12814a6d32
SHA256e042d9538eca41e595aa6084e9bcf5c7a35c95cf67df92ca7db7d2bdf9b66217
SHA5126ebca6f6c696a15d01365609f4ad035b472b3653a8cf3536e6163ca6b7615a8f5cce3287365fc9a8f6679628451d4d2655a7a31c7d30ded5eb1d028cd0a1d217
-
C:\Users\Admin\AppData\Roaming\Service Host.exeFilesize
45KB
MD54b3284d70137fee18f1068d0b3ec3819
SHA124a47e72ea5f76bbc37b0281bb24508b631157de
SHA2568ae63775359fa46ab17567259a6a504c60113868d706c1649b7e404aa0343010
SHA512693cb57ee01b48daa08c3165187d29aad402e8fe8341e1050c0e6bfc7463b2723a6e5c6af762457cffee8ae2836fb3c7f3a73dfdd1ff50d51abc1e8f970d525d
-
C:\Users\Admin\AppData\Roaming\Service Host.exeFilesize
45KB
MD54b3284d70137fee18f1068d0b3ec3819
SHA124a47e72ea5f76bbc37b0281bb24508b631157de
SHA2568ae63775359fa46ab17567259a6a504c60113868d706c1649b7e404aa0343010
SHA512693cb57ee01b48daa08c3165187d29aad402e8fe8341e1050c0e6bfc7463b2723a6e5c6af762457cffee8ae2836fb3c7f3a73dfdd1ff50d51abc1e8f970d525d
-
memory/1752-135-0x0000000000000000-mapping.dmp
-
memory/2456-137-0x0000000000000000-mapping.dmp
-
memory/2620-132-0x0000000000A40000-0x0000000000A52000-memory.dmpFilesize
72KB
-
memory/2620-133-0x0000000005500000-0x000000000559C000-memory.dmpFilesize
624KB
-
memory/4020-139-0x0000000000000000-mapping.dmp
-
memory/4020-142-0x00000000066B0000-0x0000000006C54000-memory.dmpFilesize
5.6MB
-
memory/4020-143-0x0000000005C10000-0x0000000005C76000-memory.dmpFilesize
408KB
-
memory/4176-134-0x0000000000000000-mapping.dmp
-
memory/4900-138-0x0000000000000000-mapping.dmp