Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
14/03/2023, 19:11
Behavioral task
behavioral1
Sample
chromedrivers.exe
Resource
win7-20230220-en
General
-
Target
chromedrivers.exe
-
Size
47KB
-
MD5
19bad7e44cebbc89e4fdbf0331f8537e
-
SHA1
3a0d1a2c7b6c282a41be338e2487a76a80b0af30
-
SHA256
96b2d78904d08e5deeb0aa2b82e1630e7d190e85cddb807a539b1b4c8126ba70
-
SHA512
4628e07bf34d097d646b320e2b3336e46f6ae38750e9187560e85e9db66f157d3d2de3421ee75013fbe9075dc600c9f599611cd46a4ace2c234bb5d5a948bc33
-
SSDEEP
768:iuW81Towx/9WU9Vt+Xmo2qzEZQJSVHDEzPII72IxqKm2L0bt7GCv5wFdjhjwJ55S:iuW81Toq7C2ruRcE2Ixwzbt7Gkqjhjw0
Malware Config
Extracted
asyncrat
0.5.7B
Default
dnsontopnegros.ddns.net:13370
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
chromedrivers.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 3 IoCs
resource yara_rule behavioral2/memory/4152-133-0x0000000000330000-0x0000000000342000-memory.dmp asyncrat behavioral2/files/0x0007000000023168-144.dat asyncrat behavioral2/files/0x0007000000023168-143.dat asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation chromedrivers.exe -
Executes dropped EXE 1 IoCs
pid Process 448 chromedrivers.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4288 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1404 timeout.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 4152 chromedrivers.exe 4152 chromedrivers.exe 4152 chromedrivers.exe 4152 chromedrivers.exe 4152 chromedrivers.exe 4152 chromedrivers.exe 4152 chromedrivers.exe 4152 chromedrivers.exe 4152 chromedrivers.exe 4152 chromedrivers.exe 4152 chromedrivers.exe 4152 chromedrivers.exe 4152 chromedrivers.exe 4152 chromedrivers.exe 4152 chromedrivers.exe 4152 chromedrivers.exe 4152 chromedrivers.exe 4152 chromedrivers.exe 4152 chromedrivers.exe 4152 chromedrivers.exe 4152 chromedrivers.exe 4152 chromedrivers.exe 4152 chromedrivers.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4152 chromedrivers.exe Token: SeDebugPrivilege 448 chromedrivers.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4152 wrote to memory of 3728 4152 chromedrivers.exe 90 PID 4152 wrote to memory of 3728 4152 chromedrivers.exe 90 PID 4152 wrote to memory of 3728 4152 chromedrivers.exe 90 PID 4152 wrote to memory of 2824 4152 chromedrivers.exe 92 PID 4152 wrote to memory of 2824 4152 chromedrivers.exe 92 PID 4152 wrote to memory of 2824 4152 chromedrivers.exe 92 PID 3728 wrote to memory of 4288 3728 cmd.exe 94 PID 3728 wrote to memory of 4288 3728 cmd.exe 94 PID 3728 wrote to memory of 4288 3728 cmd.exe 94 PID 2824 wrote to memory of 1404 2824 cmd.exe 95 PID 2824 wrote to memory of 1404 2824 cmd.exe 95 PID 2824 wrote to memory of 1404 2824 cmd.exe 95 PID 2824 wrote to memory of 448 2824 cmd.exe 97 PID 2824 wrote to memory of 448 2824 cmd.exe 97 PID 2824 wrote to memory of 448 2824 cmd.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\chromedrivers.exe"C:\Users\Admin\AppData\Local\Temp\chromedrivers.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "chromedrivers" /tr '"C:\Users\Admin\AppData\Roaming\chromedrivers.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "chromedrivers" /tr '"C:\Users\Admin\AppData\Roaming\chromedrivers.exe"'3⤵
- Creates scheduled task(s)
PID:4288
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp85AF.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:1404
-
-
C:\Users\Admin\AppData\Roaming\chromedrivers.exe"C:\Users\Admin\AppData\Roaming\chromedrivers.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:448
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
614B
MD554920f388010333559bdff225040761d
SHA1040972bf1fc83014f10c45832322c094f883ce30
SHA2569ed5449a36700939987209c7a2974b9cc669b8b22c7c4e7936f35dda0a4dc359
SHA512e17aa5d1328b3bfd3754d15b3c2eded98653d90c7b326f941522e0b3bd6f557880246a6bc69047facb42eb97d2e0ed6c46148dfe95a98669fc4e1d07c21a285c
-
Filesize
157B
MD5fbf522cebe307ca884955233ef44cb26
SHA157cd5e1900d38ab821c27d486a55bc8a1046746a
SHA2564330ef69312a04311158c6b55c262dde4e4fbdc919725288142a621c4074b16b
SHA5126f904f25d19e59f76c9470e98507061d6fee7fcac1643944e15a096bc8abc3c0a577c550414b860b00c7cc76e3aed3fe528e61518ba30fa5e9c68dbcdcb2685d
-
Filesize
47KB
MD519bad7e44cebbc89e4fdbf0331f8537e
SHA13a0d1a2c7b6c282a41be338e2487a76a80b0af30
SHA25696b2d78904d08e5deeb0aa2b82e1630e7d190e85cddb807a539b1b4c8126ba70
SHA5124628e07bf34d097d646b320e2b3336e46f6ae38750e9187560e85e9db66f157d3d2de3421ee75013fbe9075dc600c9f599611cd46a4ace2c234bb5d5a948bc33
-
Filesize
47KB
MD519bad7e44cebbc89e4fdbf0331f8537e
SHA13a0d1a2c7b6c282a41be338e2487a76a80b0af30
SHA25696b2d78904d08e5deeb0aa2b82e1630e7d190e85cddb807a539b1b4c8126ba70
SHA5124628e07bf34d097d646b320e2b3336e46f6ae38750e9187560e85e9db66f157d3d2de3421ee75013fbe9075dc600c9f599611cd46a4ace2c234bb5d5a948bc33