Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
15/03/2023, 00:43
Static task
static1
Behavioral task
behavioral1
Sample
service_updated.exe
Resource
win7-20230220-en
General
-
Target
service_updated.exe
-
Size
26KB
-
MD5
41129b2de89d99f0bd5e1ad1f6440eef
-
SHA1
48ed7f4ed02069d40eca3e1398cda78df33d94e7
-
SHA256
6573a46dcc3f3695b69d5f395bc71515b34890ddc4a73b017afab37421512542
-
SHA512
93c22380c3ae75a1cc087716b94665626b6e0418dc4e1eb65afee536282571ed3a28607a3cf4b7ff1fbbd9ad0cda70349d556c4b0b9a17981357100c6a0d7eca
-
SSDEEP
384:sJJo2hYvWMUMGYZacX1weJiPRQMFWsXrMTW4g1CwL1CyDb+/cG7myv+pQ6ZD0m3H:lEHqSeJiJVXrM41v1C8bpCT+Zgm3HtN
Malware Config
Extracted
asyncrat
1.0.7
Default
DcRatMutex_qwqdanchun
-
delay
10
-
install
true
-
install_file
csrss.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/3Z9zi18j
Signatures
-
Async RAT payload 6 IoCs
resource yara_rule behavioral2/files/0x0006000000023176-154.dat asyncrat behavioral2/files/0x0006000000023176-225.dat asyncrat behavioral2/files/0x0006000000023176-226.dat asyncrat behavioral2/memory/2548-229-0x0000000000DF0000-0x0000000000E06000-memory.dmp asyncrat behavioral2/files/0x0007000000023184-302.dat asyncrat behavioral2/files/0x0007000000023184-303.dat asyncrat -
Downloads MZ/PE file
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 3672 attrib.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation tmp6DD7.exe Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation csrss.exe -
Executes dropped EXE 4 IoCs
pid Process 2904 tmp6DD7.exe 2548 csrss.exe 4628 Extreme Injector v3.exe 4192 csrss.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2008 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4460 timeout.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ tmp6DD7.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 820 service_updated.exe 2548 csrss.exe 2548 csrss.exe 2548 csrss.exe 2548 csrss.exe 2548 csrss.exe 2548 csrss.exe 2548 csrss.exe 2548 csrss.exe 2548 csrss.exe 2548 csrss.exe 2548 csrss.exe 2548 csrss.exe 2548 csrss.exe 2548 csrss.exe 2548 csrss.exe 2548 csrss.exe 2548 csrss.exe 2548 csrss.exe 2548 csrss.exe 2548 csrss.exe 2548 csrss.exe 2548 csrss.exe 2548 csrss.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeDebugPrivilege 820 service_updated.exe Token: SeIncreaseQuotaPrivilege 820 service_updated.exe Token: SeSecurityPrivilege 820 service_updated.exe Token: SeTakeOwnershipPrivilege 820 service_updated.exe Token: SeLoadDriverPrivilege 820 service_updated.exe Token: SeSystemProfilePrivilege 820 service_updated.exe Token: SeSystemtimePrivilege 820 service_updated.exe Token: SeProfSingleProcessPrivilege 820 service_updated.exe Token: SeIncBasePriorityPrivilege 820 service_updated.exe Token: SeCreatePagefilePrivilege 820 service_updated.exe Token: SeBackupPrivilege 820 service_updated.exe Token: SeRestorePrivilege 820 service_updated.exe Token: SeShutdownPrivilege 820 service_updated.exe Token: SeDebugPrivilege 820 service_updated.exe Token: SeSystemEnvironmentPrivilege 820 service_updated.exe Token: SeRemoteShutdownPrivilege 820 service_updated.exe Token: SeUndockPrivilege 820 service_updated.exe Token: SeManageVolumePrivilege 820 service_updated.exe Token: 33 820 service_updated.exe Token: 34 820 service_updated.exe Token: 35 820 service_updated.exe Token: 36 820 service_updated.exe Token: SeDebugPrivilege 4628 Extreme Injector v3.exe Token: 33 4628 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 4628 Extreme Injector v3.exe Token: SeDebugPrivilege 4628 Extreme Injector v3.exe Token: 33 4628 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 4628 Extreme Injector v3.exe Token: 33 4628 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 4628 Extreme Injector v3.exe Token: 33 4628 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 4628 Extreme Injector v3.exe Token: 33 4628 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 4628 Extreme Injector v3.exe Token: 33 4628 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 4628 Extreme Injector v3.exe Token: 33 4628 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 4628 Extreme Injector v3.exe Token: 33 4628 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 4628 Extreme Injector v3.exe Token: 33 4628 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 4628 Extreme Injector v3.exe Token: SeDebugPrivilege 2548 csrss.exe Token: SeDebugPrivilege 4192 csrss.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 820 wrote to memory of 3672 820 service_updated.exe 90 PID 820 wrote to memory of 3672 820 service_updated.exe 90 PID 820 wrote to memory of 2904 820 service_updated.exe 91 PID 820 wrote to memory of 2904 820 service_updated.exe 91 PID 820 wrote to memory of 2904 820 service_updated.exe 91 PID 2904 wrote to memory of 2548 2904 tmp6DD7.exe 94 PID 2904 wrote to memory of 2548 2904 tmp6DD7.exe 94 PID 2904 wrote to memory of 4628 2904 tmp6DD7.exe 95 PID 2904 wrote to memory of 4628 2904 tmp6DD7.exe 95 PID 2548 wrote to memory of 3772 2548 csrss.exe 99 PID 2548 wrote to memory of 3772 2548 csrss.exe 99 PID 2548 wrote to memory of 2476 2548 csrss.exe 101 PID 2548 wrote to memory of 2476 2548 csrss.exe 101 PID 2476 wrote to memory of 4460 2476 cmd.exe 103 PID 2476 wrote to memory of 4460 2476 cmd.exe 103 PID 3772 wrote to memory of 2008 3772 cmd.exe 104 PID 3772 wrote to memory of 2008 3772 cmd.exe 104 PID 2476 wrote to memory of 4192 2476 cmd.exe 105 PID 2476 wrote to memory of 4192 2476 cmd.exe 105 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 3672 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\service_updated.exe"C:\Users\Admin\AppData\Local\Temp\service_updated.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\system32\attrib.exe"C:\Windows\system32\attrib.exe" +s +h C:\Users\Admin\AppData\Local\Temp\tmp6DD7.exe2⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3672
-
-
C:\Users\Admin\AppData\Local\Temp\tmp6DD7.exe"C:\Users\Admin\AppData\Local\Temp\tmp6DD7.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Users\Admin\AppData\Local\Temp\csrss.exe"C:\Users\Admin\AppData\Local\Temp\csrss.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Roaming\csrss.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Roaming\csrss.exe"'5⤵
- Creates scheduled task(s)
PID:2008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC1FD.tmp.bat""4⤵
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\system32\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
PID:4460
-
-
C:\Users\Admin\AppData\Roaming\csrss.exe"C:\Users\Admin\AppData\Roaming\csrss.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4192
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4628
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
425B
MD5fff5cbccb6b31b40f834b8f4778a779a
SHA1899ed0377e89f1ed434cfeecc5bc0163ebdf0454
SHA256b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76
SHA5121a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9
-
Filesize
1.9MB
MD5ec801a7d4b72a288ec6c207bb9ff0131
SHA132eec2ae1f9e201516fa7fcdc16c4928f7997561
SHA256b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46
SHA512a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac
-
Filesize
1.9MB
MD5ec801a7d4b72a288ec6c207bb9ff0131
SHA132eec2ae1f9e201516fa7fcdc16c4928f7997561
SHA256b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46
SHA512a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac
-
Filesize
1.9MB
MD5ec801a7d4b72a288ec6c207bb9ff0131
SHA132eec2ae1f9e201516fa7fcdc16c4928f7997561
SHA256b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46
SHA512a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
63KB
MD54e8ed7a82d6919108934eaa3fcd3ed9f
SHA1f74a1c9fc02c8374ec0ee68438ae309f1f61ff41
SHA256c933e7ccae64ffe87abb6f685c4d82ba2de7c9ff56523136e42d56b82b48b364
SHA5122fc905d288a820d08d30b5ba64989406a89a2694af191e900bdde1e55c42ddce66cb5de9f562f8018c115029e5b210dc7b51204c2dccb73d561f5bbd996dfdad
-
Filesize
63KB
MD54e8ed7a82d6919108934eaa3fcd3ed9f
SHA1f74a1c9fc02c8374ec0ee68438ae309f1f61ff41
SHA256c933e7ccae64ffe87abb6f685c4d82ba2de7c9ff56523136e42d56b82b48b364
SHA5122fc905d288a820d08d30b5ba64989406a89a2694af191e900bdde1e55c42ddce66cb5de9f562f8018c115029e5b210dc7b51204c2dccb73d561f5bbd996dfdad
-
Filesize
63KB
MD54e8ed7a82d6919108934eaa3fcd3ed9f
SHA1f74a1c9fc02c8374ec0ee68438ae309f1f61ff41
SHA256c933e7ccae64ffe87abb6f685c4d82ba2de7c9ff56523136e42d56b82b48b364
SHA5122fc905d288a820d08d30b5ba64989406a89a2694af191e900bdde1e55c42ddce66cb5de9f562f8018c115029e5b210dc7b51204c2dccb73d561f5bbd996dfdad
-
Filesize
2.3MB
MD583a24ea1847f5cbb5508785abb5126ea
SHA163930e7171d1fc94fd4ec745392b3a1136cb0496
SHA256246b30f2dc863cc247d9ad8bff17e1ec92f2282810f47f42634c0bb7883ba268
SHA512fb6fbeb92bf4fee54f46e4dd75703cc85ebec3e57594fd7cb14874c096c2783ad896c863ba34c594f368d5c16df6a264e50dbb06d674c565d426dd2ddfe3890e
-
Filesize
2.3MB
MD583a24ea1847f5cbb5508785abb5126ea
SHA163930e7171d1fc94fd4ec745392b3a1136cb0496
SHA256246b30f2dc863cc247d9ad8bff17e1ec92f2282810f47f42634c0bb7883ba268
SHA512fb6fbeb92bf4fee54f46e4dd75703cc85ebec3e57594fd7cb14874c096c2783ad896c863ba34c594f368d5c16df6a264e50dbb06d674c565d426dd2ddfe3890e
-
Filesize
149B
MD59844dbcd75df1529186eee44640fa766
SHA1d882d1ca7277fd862ba986f1fc1cf108a75befba
SHA256ec46866731f7a578c32a9d8bb70e1a33b25cdd8c65f412672196192b8e3b2339
SHA512529eb729c3a0d0a3dc281faba6447bf81db7d87b08e9458c96dce16851cfecb8c0621d13c35c1054198e8c7d0819396956554154c991091e426183736d1b3544
-
Filesize
63KB
MD54e8ed7a82d6919108934eaa3fcd3ed9f
SHA1f74a1c9fc02c8374ec0ee68438ae309f1f61ff41
SHA256c933e7ccae64ffe87abb6f685c4d82ba2de7c9ff56523136e42d56b82b48b364
SHA5122fc905d288a820d08d30b5ba64989406a89a2694af191e900bdde1e55c42ddce66cb5de9f562f8018c115029e5b210dc7b51204c2dccb73d561f5bbd996dfdad
-
Filesize
63KB
MD54e8ed7a82d6919108934eaa3fcd3ed9f
SHA1f74a1c9fc02c8374ec0ee68438ae309f1f61ff41
SHA256c933e7ccae64ffe87abb6f685c4d82ba2de7c9ff56523136e42d56b82b48b364
SHA5122fc905d288a820d08d30b5ba64989406a89a2694af191e900bdde1e55c42ddce66cb5de9f562f8018c115029e5b210dc7b51204c2dccb73d561f5bbd996dfdad