Analysis
-
max time kernel
143s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
16-02-2023 08:05
Static task
static1
Behavioral task
behavioral1
Sample
ea1ea9fd37112bd1ef9cd6693fdb2cca.exe
Resource
win7-20221111-en
General
-
Target
ea1ea9fd37112bd1ef9cd6693fdb2cca.exe
-
Size
105KB
-
MD5
ea1ea9fd37112bd1ef9cd6693fdb2cca
-
SHA1
176bfeccd1737a2e3ca961cd86edfe048b83cee7
-
SHA256
398d6123b91dbc11a590bb5d4020833ae623340d3ff7649c097a1bd32dd9a771
-
SHA512
a7c109632238c11749fee4392f4870aecf0b16579df7eeb8fe2661721094afedcf6235a3b1bcabdf672fb08aafc6c11e39a8e13eaf3f98a91863566f88cfd692
-
SSDEEP
1536:dFuLAm8ssJ5e2BGdWLzxPoxZD2ZQQqn7uJ04+RAnyQ+qwz1ZAmdYjuu0UOQtJMD:PBGO2qxP+ZADqn7lRAn5nwwmdYw
Malware Config
Extracted
asyncrat
0.5.7B
Default
dsasdassasaasdasd
-
delay
3
-
install
false
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/mndrG70y
Signatures
-
Async RAT payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\hmmm.exe asyncrat C:\Users\Admin\AppData\Local\Temp\hmmm.exe asyncrat behavioral2/memory/2372-141-0x00000000000B0000-0x00000000000C2000-memory.dmp asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ea1ea9fd37112bd1ef9cd6693fdb2cca.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation ea1ea9fd37112bd1ef9cd6693fdb2cca.exe -
Executes dropped EXE 3 IoCs
Processes:
hmmm.exeassadsad.exeassadsad.exepid process 2372 hmmm.exe 988 assadsad.exe 2388 assadsad.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3084 988 WerFault.exe assadsad.exe 1720 2388 WerFault.exe assadsad.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
hmmm.exedescription pid process Token: SeDebugPrivilege 2372 hmmm.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
ea1ea9fd37112bd1ef9cd6693fdb2cca.execmd.exedescription pid process target process PID 2380 wrote to memory of 2372 2380 ea1ea9fd37112bd1ef9cd6693fdb2cca.exe hmmm.exe PID 2380 wrote to memory of 2372 2380 ea1ea9fd37112bd1ef9cd6693fdb2cca.exe hmmm.exe PID 2380 wrote to memory of 2372 2380 ea1ea9fd37112bd1ef9cd6693fdb2cca.exe hmmm.exe PID 2380 wrote to memory of 3752 2380 ea1ea9fd37112bd1ef9cd6693fdb2cca.exe cmd.exe PID 2380 wrote to memory of 3752 2380 ea1ea9fd37112bd1ef9cd6693fdb2cca.exe cmd.exe PID 2380 wrote to memory of 3752 2380 ea1ea9fd37112bd1ef9cd6693fdb2cca.exe cmd.exe PID 2380 wrote to memory of 804 2380 ea1ea9fd37112bd1ef9cd6693fdb2cca.exe cmd.exe PID 2380 wrote to memory of 804 2380 ea1ea9fd37112bd1ef9cd6693fdb2cca.exe cmd.exe PID 2380 wrote to memory of 804 2380 ea1ea9fd37112bd1ef9cd6693fdb2cca.exe cmd.exe PID 2380 wrote to memory of 2720 2380 ea1ea9fd37112bd1ef9cd6693fdb2cca.exe cmd.exe PID 2380 wrote to memory of 2720 2380 ea1ea9fd37112bd1ef9cd6693fdb2cca.exe cmd.exe PID 2380 wrote to memory of 2720 2380 ea1ea9fd37112bd1ef9cd6693fdb2cca.exe cmd.exe PID 804 wrote to memory of 4988 804 cmd.exe schtasks.exe PID 804 wrote to memory of 4988 804 cmd.exe schtasks.exe PID 804 wrote to memory of 4988 804 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea1ea9fd37112bd1ef9cd6693fdb2cca.exe"C:\Users\Admin\AppData\Local\Temp\ea1ea9fd37112bd1ef9cd6693fdb2cca.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hmmm.exe"C:\Users\Admin\AppData\Local\Temp\hmmm.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\assadsad"2⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\ea1ea9fd37112bd1ef9cd6693fdb2cca.exe" "C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exeC:\Users\Admin\AppData\Roaming\assadsad\assadsad.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 8682⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 988 -ip 9881⤵
-
C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exeC:\Users\Admin\AppData\Roaming\assadsad\assadsad.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 8362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2388 -ip 23881⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\hmmm.exeFilesize
47KB
MD590dd20220b13ec8971b88eede6637354
SHA1c04bafafefe2b04fe6b06d9a4c106b2bb56ab132
SHA256b267ce28d1cbbe768fc5a670bc85a28772f8ed9c9511a5b66a5d3cade598024c
SHA5124f1804eccc5753b3f7ab2a42721e5af1d46ab4688d31c2798c460981b433c16aa16f5ca28468bd7943131a043c61ce97713c0e730b16d5c81fc72c8c532cc5f6
-
C:\Users\Admin\AppData\Local\Temp\hmmm.exeFilesize
47KB
MD590dd20220b13ec8971b88eede6637354
SHA1c04bafafefe2b04fe6b06d9a4c106b2bb56ab132
SHA256b267ce28d1cbbe768fc5a670bc85a28772f8ed9c9511a5b66a5d3cade598024c
SHA5124f1804eccc5753b3f7ab2a42721e5af1d46ab4688d31c2798c460981b433c16aa16f5ca28468bd7943131a043c61ce97713c0e730b16d5c81fc72c8c532cc5f6
-
C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exeFilesize
105KB
MD5ea1ea9fd37112bd1ef9cd6693fdb2cca
SHA1176bfeccd1737a2e3ca961cd86edfe048b83cee7
SHA256398d6123b91dbc11a590bb5d4020833ae623340d3ff7649c097a1bd32dd9a771
SHA512a7c109632238c11749fee4392f4870aecf0b16579df7eeb8fe2661721094afedcf6235a3b1bcabdf672fb08aafc6c11e39a8e13eaf3f98a91863566f88cfd692
-
C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exeFilesize
105KB
MD5ea1ea9fd37112bd1ef9cd6693fdb2cca
SHA1176bfeccd1737a2e3ca961cd86edfe048b83cee7
SHA256398d6123b91dbc11a590bb5d4020833ae623340d3ff7649c097a1bd32dd9a771
SHA512a7c109632238c11749fee4392f4870aecf0b16579df7eeb8fe2661721094afedcf6235a3b1bcabdf672fb08aafc6c11e39a8e13eaf3f98a91863566f88cfd692
-
C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exeFilesize
105KB
MD5ea1ea9fd37112bd1ef9cd6693fdb2cca
SHA1176bfeccd1737a2e3ca961cd86edfe048b83cee7
SHA256398d6123b91dbc11a590bb5d4020833ae623340d3ff7649c097a1bd32dd9a771
SHA512a7c109632238c11749fee4392f4870aecf0b16579df7eeb8fe2661721094afedcf6235a3b1bcabdf672fb08aafc6c11e39a8e13eaf3f98a91863566f88cfd692
-
memory/804-142-0x0000000000000000-mapping.dmp
-
memory/2372-137-0x0000000000000000-mapping.dmp
-
memory/2372-141-0x00000000000B0000-0x00000000000C2000-memory.dmpFilesize
72KB
-
memory/2380-136-0x0000000004D20000-0x0000000004D86000-memory.dmpFilesize
408KB
-
memory/2380-135-0x0000000000380000-0x00000000003A0000-memory.dmpFilesize
128KB
-
memory/2720-143-0x0000000000000000-mapping.dmp
-
memory/3752-140-0x0000000000000000-mapping.dmp
-
memory/4988-144-0x0000000000000000-mapping.dmp