Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
15/03/2023, 02:34
Static task
static1
Behavioral task
behavioral1
Sample
New Project 1.exe
Resource
win7-20230220-en
General
-
Target
New Project 1.exe
-
Size
3.3MB
-
MD5
0b82679d42cab0b409f8931a42b5b146
-
SHA1
cb04cd8a5b8a964e02029d4e8c7b58dffb027090
-
SHA256
c161fdee3b643c98fe1b8f7697e7862343eae67823692a122ec27fe9bf0ce8bb
-
SHA512
d28e03ae32c4f7cec3cbc0d40c8a295a222b5746ea1e40074ec6bb2cecbe74920f27cd6874450e0d9f851f90bd0a59a758e5752246cfe808863f36108e94dcb8
-
SSDEEP
49152:OzsaGqHikFPJcC2wxmDK30zBSs0xThNydNqLB7ZhCABTkPe:3wiXC1OB0Kni5JkP
Malware Config
Extracted
https://pastebin.com/raw/vNcCt60A
Extracted
asyncrat
1.0.7
Default
Mutex
-
delay
3
-
install
true
-
install_file
csrss.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/3Z9zi18j
Signatures
-
Async RAT payload 5 IoCs
resource yara_rule behavioral2/files/0x000e000000022fe3-215.dat asyncrat behavioral2/files/0x000e000000022fe3-216.dat asyncrat behavioral2/memory/2728-217-0x00000000006E0000-0x00000000006F6000-memory.dmp asyncrat behavioral2/files/0x0007000000022fe5-227.dat asyncrat behavioral2/files/0x0007000000022fe5-228.dat asyncrat -
Blocklisted process makes network request 3 IoCs
flow pid Process 28 1652 powershell.exe 30 1652 powershell.exe 33 1652 powershell.exe -
Downloads MZ/PE file
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 756 attrib.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation New Project 1.exe Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation service.exe Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation tmp5DD7.exe -
Executes dropped EXE 4 IoCs
pid Process 2824 Extreme Injector v3.exe 1832 service.exe 2728 tmp5DD7.exe 2228 csrss.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 216 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3784 timeout.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings service.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 1652 powershell.exe 1652 powershell.exe 2728 tmp5DD7.exe 2728 tmp5DD7.exe 2728 tmp5DD7.exe 2728 tmp5DD7.exe 2728 tmp5DD7.exe 2728 tmp5DD7.exe 2728 tmp5DD7.exe 2728 tmp5DD7.exe 2728 tmp5DD7.exe 2728 tmp5DD7.exe 2728 tmp5DD7.exe 2728 tmp5DD7.exe 2728 tmp5DD7.exe 2728 tmp5DD7.exe 2728 tmp5DD7.exe 2728 tmp5DD7.exe 2728 tmp5DD7.exe 2728 tmp5DD7.exe 2728 tmp5DD7.exe 2728 tmp5DD7.exe 2728 tmp5DD7.exe 2728 tmp5DD7.exe 2728 tmp5DD7.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2824 Extreme Injector v3.exe Token: 33 2824 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 2824 Extreme Injector v3.exe Token: SeDebugPrivilege 2824 Extreme Injector v3.exe Token: 33 2824 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 2824 Extreme Injector v3.exe Token: 33 2824 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 2824 Extreme Injector v3.exe Token: SeDebugPrivilege 1652 powershell.exe Token: 33 2824 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 2824 Extreme Injector v3.exe Token: 33 2824 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 2824 Extreme Injector v3.exe Token: 33 2824 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 2824 Extreme Injector v3.exe Token: 33 2824 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 2824 Extreme Injector v3.exe Token: SeIncreaseQuotaPrivilege 1652 powershell.exe Token: SeSecurityPrivilege 1652 powershell.exe Token: SeTakeOwnershipPrivilege 1652 powershell.exe Token: SeLoadDriverPrivilege 1652 powershell.exe Token: SeSystemProfilePrivilege 1652 powershell.exe Token: SeSystemtimePrivilege 1652 powershell.exe Token: SeProfSingleProcessPrivilege 1652 powershell.exe Token: SeIncBasePriorityPrivilege 1652 powershell.exe Token: SeCreatePagefilePrivilege 1652 powershell.exe Token: SeBackupPrivilege 1652 powershell.exe Token: SeRestorePrivilege 1652 powershell.exe Token: SeShutdownPrivilege 1652 powershell.exe Token: SeDebugPrivilege 1652 powershell.exe Token: SeSystemEnvironmentPrivilege 1652 powershell.exe Token: SeRemoteShutdownPrivilege 1652 powershell.exe Token: SeUndockPrivilege 1652 powershell.exe Token: SeManageVolumePrivilege 1652 powershell.exe Token: 33 1652 powershell.exe Token: 34 1652 powershell.exe Token: 35 1652 powershell.exe Token: 36 1652 powershell.exe Token: 33 2824 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 2824 Extreme Injector v3.exe Token: 33 2824 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 2824 Extreme Injector v3.exe Token: 33 2824 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 2824 Extreme Injector v3.exe Token: 33 2824 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 2824 Extreme Injector v3.exe Token: 33 2824 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 2824 Extreme Injector v3.exe Token: 33 2824 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 2824 Extreme Injector v3.exe Token: 33 2824 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 2824 Extreme Injector v3.exe Token: 33 2824 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 2824 Extreme Injector v3.exe Token: 33 2824 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 2824 Extreme Injector v3.exe Token: 33 2824 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 2824 Extreme Injector v3.exe Token: 33 2824 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 2824 Extreme Injector v3.exe Token: 33 2824 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 2824 Extreme Injector v3.exe Token: 33 2824 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 2824 Extreme Injector v3.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 1968 wrote to memory of 2824 1968 New Project 1.exe 86 PID 1968 wrote to memory of 2824 1968 New Project 1.exe 86 PID 1968 wrote to memory of 1832 1968 New Project 1.exe 87 PID 1968 wrote to memory of 1832 1968 New Project 1.exe 87 PID 1968 wrote to memory of 1832 1968 New Project 1.exe 87 PID 1832 wrote to memory of 3028 1832 service.exe 88 PID 1832 wrote to memory of 3028 1832 service.exe 88 PID 1832 wrote to memory of 3028 1832 service.exe 88 PID 3028 wrote to memory of 1652 3028 WScript.exe 89 PID 3028 wrote to memory of 1652 3028 WScript.exe 89 PID 3028 wrote to memory of 1652 3028 WScript.exe 89 PID 1652 wrote to memory of 756 1652 powershell.exe 99 PID 1652 wrote to memory of 756 1652 powershell.exe 99 PID 1652 wrote to memory of 756 1652 powershell.exe 99 PID 1652 wrote to memory of 2728 1652 powershell.exe 100 PID 1652 wrote to memory of 2728 1652 powershell.exe 100 PID 2728 wrote to memory of 1816 2728 tmp5DD7.exe 102 PID 2728 wrote to memory of 1816 2728 tmp5DD7.exe 102 PID 2728 wrote to memory of 3860 2728 tmp5DD7.exe 104 PID 2728 wrote to memory of 3860 2728 tmp5DD7.exe 104 PID 3860 wrote to memory of 3784 3860 cmd.exe 107 PID 3860 wrote to memory of 3784 3860 cmd.exe 107 PID 1816 wrote to memory of 216 1816 cmd.exe 106 PID 1816 wrote to memory of 216 1816 cmd.exe 106 PID 3860 wrote to memory of 2228 3860 cmd.exe 108 PID 3860 wrote to memory of 2228 3860 cmd.exe 108 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 756 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Project 1.exe"C:\Users\Admin\AppData\Local\Temp\New Project 1.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
-
C:\Users\Admin\AppData\Local\Temp\service.exe"C:\Users\Admin\AppData\Local\Temp\service.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Unrestricted -nologo -command .\service.ps14⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\attrib.exe"C:\Windows\system32\attrib.exe" +s +h C:\Users\Admin\AppData\Local\Temp\tmp5DD7.exe5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:756
-
-
C:\Users\Admin\AppData\Local\Temp\tmp5DD7.exe"C:\Users\Admin\AppData\Local\Temp\tmp5DD7.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Roaming\csrss.exe"' & exit6⤵
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Roaming\csrss.exe"'7⤵
- Creates scheduled task(s)
PID:216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp58DE.tmp.bat""6⤵
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\system32\timeout.exetimeout 37⤵
- Delays execution with timeout.exe
PID:3784
-
-
C:\Users\Admin\AppData\Roaming\csrss.exe"C:\Users\Admin\AppData\Roaming\csrss.exe"7⤵
- Executes dropped EXE
PID:2228
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5ec801a7d4b72a288ec6c207bb9ff0131
SHA132eec2ae1f9e201516fa7fcdc16c4928f7997561
SHA256b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46
SHA512a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac
-
Filesize
1.9MB
MD5ec801a7d4b72a288ec6c207bb9ff0131
SHA132eec2ae1f9e201516fa7fcdc16c4928f7997561
SHA256b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46
SHA512a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac
-
Filesize
1.9MB
MD5ec801a7d4b72a288ec6c207bb9ff0131
SHA132eec2ae1f9e201516fa7fcdc16c4928f7997561
SHA256b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46
SHA512a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac
-
Filesize
147B
MD5e04e55d2e6cc3d920631fdc5d6dcc1ce
SHA12c4dbcff71f8678623a7c197440ec281804dc5a5
SHA256f641a99ec7e549970c81d724766f2a60ff031a5ec92aa6fc84228c82eeb4b4eb
SHA5129511fe4dc599187f4539b8cda476550c54e86cbfcaca339a5db12e980ec322bf488d7458bf76089aa1d845f164f7ddb8adea017923d9a4930b9e821b7a4ae998
-
Filesize
797B
MD5eb9c76ab230c2b8527d504429d7aca20
SHA1ca4fc2fcb5023fa8398fc5a0c15e7ad23a61e8cb
SHA256f985277690d6c85a064bc5d494d20d0774fb5017eaf7874685378c538bd49dbf
SHA512f791797d8301242f2334767153ae7133193cee75538ce38b9d5fa5b60388428a8808c22eb08dd070f6f7e3ce556cf1f04883285eaa44ddf8aba1bd67886429c2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
283KB
MD5cc9cbbfa9ccc9cefe75253c65ad22405
SHA1f126e2c4431a9eacab858316eaf031fb5e7bc9f1
SHA2564d19771fb289f892626b1b04c120f53d69492ec87df2bfd6809dd6fce8662c3c
SHA512bbc779e3daf6d9dcf249ba59d99feb34a62fe7f381d74b608fcc8719806eef88a04491983623417c9560f2dfc4858f6e8ec12362cf93e57ca3a78e1984ba2e17
-
Filesize
283KB
MD5cc9cbbfa9ccc9cefe75253c65ad22405
SHA1f126e2c4431a9eacab858316eaf031fb5e7bc9f1
SHA2564d19771fb289f892626b1b04c120f53d69492ec87df2bfd6809dd6fce8662c3c
SHA512bbc779e3daf6d9dcf249ba59d99feb34a62fe7f381d74b608fcc8719806eef88a04491983623417c9560f2dfc4858f6e8ec12362cf93e57ca3a78e1984ba2e17
-
Filesize
283KB
MD5cc9cbbfa9ccc9cefe75253c65ad22405
SHA1f126e2c4431a9eacab858316eaf031fb5e7bc9f1
SHA2564d19771fb289f892626b1b04c120f53d69492ec87df2bfd6809dd6fce8662c3c
SHA512bbc779e3daf6d9dcf249ba59d99feb34a62fe7f381d74b608fcc8719806eef88a04491983623417c9560f2dfc4858f6e8ec12362cf93e57ca3a78e1984ba2e17
-
Filesize
149B
MD56f9234da5a9ae3c66f69c7e2487acead
SHA143236b786f551b4b437bc18acfc3732cf7689995
SHA2562b86d74b1df8253a402650edc25c15e2cb2d50f1010d67e61513f9669ed1e570
SHA5124942a3919de4c8b57023b906a939abd3f0144b467bcb4728cb17d1f4c6c9059db061dd43cf314297e849c3a1aaed5c3fc659310f3510f1f8dbe5e5fcd40dc21d
-
Filesize
63KB
MD5d2053aeb9216c3040b40e67d72578669
SHA13a33aab579e13bac21c4966b4e2491cee400155f
SHA2568bd23941838cd09c9e3aba327a8ab6e8d78f2d5325ec790ec30e2963420ab2df
SHA5128baf916842fc62aa743ca62851130d9552da8c3edc90d8b468bd154454bc643bb9d6474301a5414bccdd381d743b0dcaccb9683f7571b9f06d216a3ee754518f
-
Filesize
63KB
MD5d2053aeb9216c3040b40e67d72578669
SHA13a33aab579e13bac21c4966b4e2491cee400155f
SHA2568bd23941838cd09c9e3aba327a8ab6e8d78f2d5325ec790ec30e2963420ab2df
SHA5128baf916842fc62aa743ca62851130d9552da8c3edc90d8b468bd154454bc643bb9d6474301a5414bccdd381d743b0dcaccb9683f7571b9f06d216a3ee754518f
-
Filesize
63KB
MD5d2053aeb9216c3040b40e67d72578669
SHA13a33aab579e13bac21c4966b4e2491cee400155f
SHA2568bd23941838cd09c9e3aba327a8ab6e8d78f2d5325ec790ec30e2963420ab2df
SHA5128baf916842fc62aa743ca62851130d9552da8c3edc90d8b468bd154454bc643bb9d6474301a5414bccdd381d743b0dcaccb9683f7571b9f06d216a3ee754518f
-
Filesize
63KB
MD5d2053aeb9216c3040b40e67d72578669
SHA13a33aab579e13bac21c4966b4e2491cee400155f
SHA2568bd23941838cd09c9e3aba327a8ab6e8d78f2d5325ec790ec30e2963420ab2df
SHA5128baf916842fc62aa743ca62851130d9552da8c3edc90d8b468bd154454bc643bb9d6474301a5414bccdd381d743b0dcaccb9683f7571b9f06d216a3ee754518f