Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
16-02-2023 08:05
Static task
static1
Behavioral task
behavioral1
Sample
ea1ea9fd37112bd1ef9cd6693fdb2cca.exe
Resource
win7-20221111-en
General
-
Target
ea1ea9fd37112bd1ef9cd6693fdb2cca.exe
-
Size
105KB
-
MD5
ea1ea9fd37112bd1ef9cd6693fdb2cca
-
SHA1
176bfeccd1737a2e3ca961cd86edfe048b83cee7
-
SHA256
398d6123b91dbc11a590bb5d4020833ae623340d3ff7649c097a1bd32dd9a771
-
SHA512
a7c109632238c11749fee4392f4870aecf0b16579df7eeb8fe2661721094afedcf6235a3b1bcabdf672fb08aafc6c11e39a8e13eaf3f98a91863566f88cfd692
-
SSDEEP
1536:dFuLAm8ssJ5e2BGdWLzxPoxZD2ZQQqn7uJ04+RAnyQ+qwz1ZAmdYjuu0UOQtJMD:PBGO2qxP+ZADqn7lRAn5nwwmdYw
Malware Config
Extracted
asyncrat
0.5.7B
Default
dsasdassasaasdasd
-
delay
3
-
install
false
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/mndrG70y
Signatures
-
Async RAT payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\hmmm.exe asyncrat C:\Users\Admin\AppData\Local\Temp\hmmm.exe asyncrat C:\Users\Admin\AppData\Local\Temp\hmmm.exe asyncrat behavioral1/memory/1964-60-0x0000000000380000-0x0000000000392000-memory.dmp asyncrat -
Executes dropped EXE 2 IoCs
Processes:
hmmm.exeassadsad.exepid process 1964 hmmm.exe 596 assadsad.exe -
Loads dropped DLL 6 IoCs
Processes:
ea1ea9fd37112bd1ef9cd6693fdb2cca.exeWerFault.exepid process 1136 ea1ea9fd37112bd1ef9cd6693fdb2cca.exe 912 WerFault.exe 912 WerFault.exe 912 WerFault.exe 912 WerFault.exe 912 WerFault.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 912 596 WerFault.exe assadsad.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
hmmm.exedescription pid process Token: SeDebugPrivilege 1964 hmmm.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
ea1ea9fd37112bd1ef9cd6693fdb2cca.execmd.exetaskeng.exeassadsad.exedescription pid process target process PID 1136 wrote to memory of 1964 1136 ea1ea9fd37112bd1ef9cd6693fdb2cca.exe hmmm.exe PID 1136 wrote to memory of 1964 1136 ea1ea9fd37112bd1ef9cd6693fdb2cca.exe hmmm.exe PID 1136 wrote to memory of 1964 1136 ea1ea9fd37112bd1ef9cd6693fdb2cca.exe hmmm.exe PID 1136 wrote to memory of 1964 1136 ea1ea9fd37112bd1ef9cd6693fdb2cca.exe hmmm.exe PID 1136 wrote to memory of 1020 1136 ea1ea9fd37112bd1ef9cd6693fdb2cca.exe cmd.exe PID 1136 wrote to memory of 1020 1136 ea1ea9fd37112bd1ef9cd6693fdb2cca.exe cmd.exe PID 1136 wrote to memory of 1020 1136 ea1ea9fd37112bd1ef9cd6693fdb2cca.exe cmd.exe PID 1136 wrote to memory of 1020 1136 ea1ea9fd37112bd1ef9cd6693fdb2cca.exe cmd.exe PID 1136 wrote to memory of 1348 1136 ea1ea9fd37112bd1ef9cd6693fdb2cca.exe cmd.exe PID 1136 wrote to memory of 1348 1136 ea1ea9fd37112bd1ef9cd6693fdb2cca.exe cmd.exe PID 1136 wrote to memory of 1348 1136 ea1ea9fd37112bd1ef9cd6693fdb2cca.exe cmd.exe PID 1136 wrote to memory of 1348 1136 ea1ea9fd37112bd1ef9cd6693fdb2cca.exe cmd.exe PID 1136 wrote to memory of 852 1136 ea1ea9fd37112bd1ef9cd6693fdb2cca.exe cmd.exe PID 1136 wrote to memory of 852 1136 ea1ea9fd37112bd1ef9cd6693fdb2cca.exe cmd.exe PID 1136 wrote to memory of 852 1136 ea1ea9fd37112bd1ef9cd6693fdb2cca.exe cmd.exe PID 1136 wrote to memory of 852 1136 ea1ea9fd37112bd1ef9cd6693fdb2cca.exe cmd.exe PID 1348 wrote to memory of 2012 1348 cmd.exe schtasks.exe PID 1348 wrote to memory of 2012 1348 cmd.exe schtasks.exe PID 1348 wrote to memory of 2012 1348 cmd.exe schtasks.exe PID 1348 wrote to memory of 2012 1348 cmd.exe schtasks.exe PID 1512 wrote to memory of 596 1512 taskeng.exe assadsad.exe PID 1512 wrote to memory of 596 1512 taskeng.exe assadsad.exe PID 1512 wrote to memory of 596 1512 taskeng.exe assadsad.exe PID 1512 wrote to memory of 596 1512 taskeng.exe assadsad.exe PID 596 wrote to memory of 912 596 assadsad.exe WerFault.exe PID 596 wrote to memory of 912 596 assadsad.exe WerFault.exe PID 596 wrote to memory of 912 596 assadsad.exe WerFault.exe PID 596 wrote to memory of 912 596 assadsad.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea1ea9fd37112bd1ef9cd6693fdb2cca.exe"C:\Users\Admin\AppData\Local\Temp\ea1ea9fd37112bd1ef9cd6693fdb2cca.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hmmm.exe"C:\Users\Admin\AppData\Local\Temp\hmmm.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\assadsad"2⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\ea1ea9fd37112bd1ef9cd6693fdb2cca.exe" "C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exe"2⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {CC57D815-ED16-4472-8927-BF9C02EECCDB} S-1-5-21-1214520366-621468234-4062160515-1000:VDWSWJJD\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exeC:\Users\Admin\AppData\Roaming\assadsad\assadsad.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 596 -s 5443⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\hmmm.exeFilesize
47KB
MD590dd20220b13ec8971b88eede6637354
SHA1c04bafafefe2b04fe6b06d9a4c106b2bb56ab132
SHA256b267ce28d1cbbe768fc5a670bc85a28772f8ed9c9511a5b66a5d3cade598024c
SHA5124f1804eccc5753b3f7ab2a42721e5af1d46ab4688d31c2798c460981b433c16aa16f5ca28468bd7943131a043c61ce97713c0e730b16d5c81fc72c8c532cc5f6
-
C:\Users\Admin\AppData\Local\Temp\hmmm.exeFilesize
47KB
MD590dd20220b13ec8971b88eede6637354
SHA1c04bafafefe2b04fe6b06d9a4c106b2bb56ab132
SHA256b267ce28d1cbbe768fc5a670bc85a28772f8ed9c9511a5b66a5d3cade598024c
SHA5124f1804eccc5753b3f7ab2a42721e5af1d46ab4688d31c2798c460981b433c16aa16f5ca28468bd7943131a043c61ce97713c0e730b16d5c81fc72c8c532cc5f6
-
C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exeFilesize
105KB
MD5ea1ea9fd37112bd1ef9cd6693fdb2cca
SHA1176bfeccd1737a2e3ca961cd86edfe048b83cee7
SHA256398d6123b91dbc11a590bb5d4020833ae623340d3ff7649c097a1bd32dd9a771
SHA512a7c109632238c11749fee4392f4870aecf0b16579df7eeb8fe2661721094afedcf6235a3b1bcabdf672fb08aafc6c11e39a8e13eaf3f98a91863566f88cfd692
-
C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exeFilesize
105KB
MD5ea1ea9fd37112bd1ef9cd6693fdb2cca
SHA1176bfeccd1737a2e3ca961cd86edfe048b83cee7
SHA256398d6123b91dbc11a590bb5d4020833ae623340d3ff7649c097a1bd32dd9a771
SHA512a7c109632238c11749fee4392f4870aecf0b16579df7eeb8fe2661721094afedcf6235a3b1bcabdf672fb08aafc6c11e39a8e13eaf3f98a91863566f88cfd692
-
\Users\Admin\AppData\Local\Temp\hmmm.exeFilesize
47KB
MD590dd20220b13ec8971b88eede6637354
SHA1c04bafafefe2b04fe6b06d9a4c106b2bb56ab132
SHA256b267ce28d1cbbe768fc5a670bc85a28772f8ed9c9511a5b66a5d3cade598024c
SHA5124f1804eccc5753b3f7ab2a42721e5af1d46ab4688d31c2798c460981b433c16aa16f5ca28468bd7943131a043c61ce97713c0e730b16d5c81fc72c8c532cc5f6
-
\Users\Admin\AppData\Roaming\assadsad\assadsad.exeFilesize
105KB
MD5ea1ea9fd37112bd1ef9cd6693fdb2cca
SHA1176bfeccd1737a2e3ca961cd86edfe048b83cee7
SHA256398d6123b91dbc11a590bb5d4020833ae623340d3ff7649c097a1bd32dd9a771
SHA512a7c109632238c11749fee4392f4870aecf0b16579df7eeb8fe2661721094afedcf6235a3b1bcabdf672fb08aafc6c11e39a8e13eaf3f98a91863566f88cfd692
-
\Users\Admin\AppData\Roaming\assadsad\assadsad.exeFilesize
105KB
MD5ea1ea9fd37112bd1ef9cd6693fdb2cca
SHA1176bfeccd1737a2e3ca961cd86edfe048b83cee7
SHA256398d6123b91dbc11a590bb5d4020833ae623340d3ff7649c097a1bd32dd9a771
SHA512a7c109632238c11749fee4392f4870aecf0b16579df7eeb8fe2661721094afedcf6235a3b1bcabdf672fb08aafc6c11e39a8e13eaf3f98a91863566f88cfd692
-
\Users\Admin\AppData\Roaming\assadsad\assadsad.exeFilesize
105KB
MD5ea1ea9fd37112bd1ef9cd6693fdb2cca
SHA1176bfeccd1737a2e3ca961cd86edfe048b83cee7
SHA256398d6123b91dbc11a590bb5d4020833ae623340d3ff7649c097a1bd32dd9a771
SHA512a7c109632238c11749fee4392f4870aecf0b16579df7eeb8fe2661721094afedcf6235a3b1bcabdf672fb08aafc6c11e39a8e13eaf3f98a91863566f88cfd692
-
\Users\Admin\AppData\Roaming\assadsad\assadsad.exeFilesize
105KB
MD5ea1ea9fd37112bd1ef9cd6693fdb2cca
SHA1176bfeccd1737a2e3ca961cd86edfe048b83cee7
SHA256398d6123b91dbc11a590bb5d4020833ae623340d3ff7649c097a1bd32dd9a771
SHA512a7c109632238c11749fee4392f4870aecf0b16579df7eeb8fe2661721094afedcf6235a3b1bcabdf672fb08aafc6c11e39a8e13eaf3f98a91863566f88cfd692
-
\Users\Admin\AppData\Roaming\assadsad\assadsad.exeFilesize
105KB
MD5ea1ea9fd37112bd1ef9cd6693fdb2cca
SHA1176bfeccd1737a2e3ca961cd86edfe048b83cee7
SHA256398d6123b91dbc11a590bb5d4020833ae623340d3ff7649c097a1bd32dd9a771
SHA512a7c109632238c11749fee4392f4870aecf0b16579df7eeb8fe2661721094afedcf6235a3b1bcabdf672fb08aafc6c11e39a8e13eaf3f98a91863566f88cfd692
-
memory/596-69-0x00000000010E0000-0x0000000001100000-memory.dmpFilesize
128KB
-
memory/596-67-0x0000000000000000-mapping.dmp
-
memory/852-63-0x0000000000000000-mapping.dmp
-
memory/912-70-0x0000000000000000-mapping.dmp
-
memory/1020-61-0x0000000000000000-mapping.dmp
-
memory/1136-54-0x0000000000810000-0x0000000000830000-memory.dmpFilesize
128KB
-
memory/1136-55-0x0000000075E01000-0x0000000075E03000-memory.dmpFilesize
8KB
-
memory/1348-62-0x0000000000000000-mapping.dmp
-
memory/1964-60-0x0000000000380000-0x0000000000392000-memory.dmpFilesize
72KB
-
memory/1964-57-0x0000000000000000-mapping.dmp
-
memory/2012-64-0x0000000000000000-mapping.dmp