Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
14/03/2023, 19:11
Behavioral task
behavioral1
Sample
chromedrivers.exe
Resource
win7-20230220-en
General
-
Target
chromedrivers.exe
-
Size
47KB
-
MD5
19bad7e44cebbc89e4fdbf0331f8537e
-
SHA1
3a0d1a2c7b6c282a41be338e2487a76a80b0af30
-
SHA256
96b2d78904d08e5deeb0aa2b82e1630e7d190e85cddb807a539b1b4c8126ba70
-
SHA512
4628e07bf34d097d646b320e2b3336e46f6ae38750e9187560e85e9db66f157d3d2de3421ee75013fbe9075dc600c9f599611cd46a4ace2c234bb5d5a948bc33
-
SSDEEP
768:iuW81Towx/9WU9Vt+Xmo2qzEZQJSVHDEzPII72IxqKm2L0bt7GCv5wFdjhjwJ55S:iuW81Toq7C2ruRcE2Ixwzbt7Gkqjhjw0
Malware Config
Extracted
asyncrat
0.5.7B
Default
dnsontopnegros.ddns.net:13370
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
chromedrivers.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 6 IoCs
resource yara_rule behavioral1/memory/748-54-0x0000000001080000-0x0000000001092000-memory.dmp asyncrat behavioral1/files/0x000b000000012305-66.dat asyncrat behavioral1/files/0x000b000000012305-65.dat asyncrat behavioral1/files/0x000b000000012305-67.dat asyncrat behavioral1/memory/1744-68-0x0000000000D00000-0x0000000000D12000-memory.dmp asyncrat behavioral1/memory/1744-69-0x0000000004D10000-0x0000000004D50000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
pid Process 1744 chromedrivers.exe -
Loads dropped DLL 1 IoCs
pid Process 240 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 904 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 828 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 748 chromedrivers.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 748 chromedrivers.exe Token: SeDebugPrivilege 1744 chromedrivers.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 748 wrote to memory of 1472 748 chromedrivers.exe 27 PID 748 wrote to memory of 1472 748 chromedrivers.exe 27 PID 748 wrote to memory of 1472 748 chromedrivers.exe 27 PID 748 wrote to memory of 1472 748 chromedrivers.exe 27 PID 748 wrote to memory of 240 748 chromedrivers.exe 29 PID 748 wrote to memory of 240 748 chromedrivers.exe 29 PID 748 wrote to memory of 240 748 chromedrivers.exe 29 PID 748 wrote to memory of 240 748 chromedrivers.exe 29 PID 1472 wrote to memory of 904 1472 cmd.exe 31 PID 1472 wrote to memory of 904 1472 cmd.exe 31 PID 1472 wrote to memory of 904 1472 cmd.exe 31 PID 1472 wrote to memory of 904 1472 cmd.exe 31 PID 240 wrote to memory of 828 240 cmd.exe 32 PID 240 wrote to memory of 828 240 cmd.exe 32 PID 240 wrote to memory of 828 240 cmd.exe 32 PID 240 wrote to memory of 828 240 cmd.exe 32 PID 240 wrote to memory of 1744 240 cmd.exe 33 PID 240 wrote to memory of 1744 240 cmd.exe 33 PID 240 wrote to memory of 1744 240 cmd.exe 33 PID 240 wrote to memory of 1744 240 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\chromedrivers.exe"C:\Users\Admin\AppData\Local\Temp\chromedrivers.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "chromedrivers" /tr '"C:\Users\Admin\AppData\Roaming\chromedrivers.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "chromedrivers" /tr '"C:\Users\Admin\AppData\Roaming\chromedrivers.exe"'3⤵
- Creates scheduled task(s)
PID:904
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp79B3.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:240 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:828
-
-
C:\Users\Admin\AppData\Roaming\chromedrivers.exe"C:\Users\Admin\AppData\Roaming\chromedrivers.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
157B
MD5e824357297c384af801f8f4d5999903d
SHA116cd8c14fe978d00c9d8e8b92119a4fc0363bc6f
SHA256f4e46a26a9f82ac85a5ae2472a4b804d70af9265a6e3ad94b7628762eddd2201
SHA512fa170057f1f2cd1938c6515cdb3a1dcca59c7df7fcf61052add6ad6522560f71c7cd16c8fee957021a4273b64f3d60695b44c93ceb6ac3f2ff908d48b19abc5c
-
Filesize
157B
MD5e824357297c384af801f8f4d5999903d
SHA116cd8c14fe978d00c9d8e8b92119a4fc0363bc6f
SHA256f4e46a26a9f82ac85a5ae2472a4b804d70af9265a6e3ad94b7628762eddd2201
SHA512fa170057f1f2cd1938c6515cdb3a1dcca59c7df7fcf61052add6ad6522560f71c7cd16c8fee957021a4273b64f3d60695b44c93ceb6ac3f2ff908d48b19abc5c
-
Filesize
47KB
MD519bad7e44cebbc89e4fdbf0331f8537e
SHA13a0d1a2c7b6c282a41be338e2487a76a80b0af30
SHA25696b2d78904d08e5deeb0aa2b82e1630e7d190e85cddb807a539b1b4c8126ba70
SHA5124628e07bf34d097d646b320e2b3336e46f6ae38750e9187560e85e9db66f157d3d2de3421ee75013fbe9075dc600c9f599611cd46a4ace2c234bb5d5a948bc33
-
Filesize
47KB
MD519bad7e44cebbc89e4fdbf0331f8537e
SHA13a0d1a2c7b6c282a41be338e2487a76a80b0af30
SHA25696b2d78904d08e5deeb0aa2b82e1630e7d190e85cddb807a539b1b4c8126ba70
SHA5124628e07bf34d097d646b320e2b3336e46f6ae38750e9187560e85e9db66f157d3d2de3421ee75013fbe9075dc600c9f599611cd46a4ace2c234bb5d5a948bc33
-
Filesize
47KB
MD519bad7e44cebbc89e4fdbf0331f8537e
SHA13a0d1a2c7b6c282a41be338e2487a76a80b0af30
SHA25696b2d78904d08e5deeb0aa2b82e1630e7d190e85cddb807a539b1b4c8126ba70
SHA5124628e07bf34d097d646b320e2b3336e46f6ae38750e9187560e85e9db66f157d3d2de3421ee75013fbe9075dc600c9f599611cd46a4ace2c234bb5d5a948bc33