Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
15/03/2023, 02:00
Static task
static1
Behavioral task
behavioral1
Sample
service.exe
Resource
win7-20230220-en
General
-
Target
service.exe
-
Size
283KB
-
MD5
cc9cbbfa9ccc9cefe75253c65ad22405
-
SHA1
f126e2c4431a9eacab858316eaf031fb5e7bc9f1
-
SHA256
4d19771fb289f892626b1b04c120f53d69492ec87df2bfd6809dd6fce8662c3c
-
SHA512
bbc779e3daf6d9dcf249ba59d99feb34a62fe7f381d74b608fcc8719806eef88a04491983623417c9560f2dfc4858f6e8ec12362cf93e57ca3a78e1984ba2e17
-
SSDEEP
6144:7gZiAEAO0sByNsAal3gVAWgS7/OhwjKfqZK:7gZXEAO/BUdG3gVdt7KnfqZK
Malware Config
Extracted
https://pastebin.com/raw/vNcCt60A
Extracted
asyncrat
1.0.7
Default
DcRatMutex_qwqdanchun
-
delay
10
-
install
true
-
install_file
csrss.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/3Z9zi18j
Signatures
-
Async RAT payload 6 IoCs
resource yara_rule behavioral2/files/0x0006000000023186-194.dat asyncrat behavioral2/files/0x0006000000023186-265.dat asyncrat behavioral2/files/0x0006000000023186-266.dat asyncrat behavioral2/memory/3464-269-0x0000000000C20000-0x0000000000C36000-memory.dmp asyncrat behavioral2/files/0x000600000002318a-344.dat asyncrat behavioral2/files/0x000600000002318a-343.dat asyncrat -
Blocklisted process makes network request 2 IoCs
flow pid Process 34 1228 powershell.exe 37 1228 powershell.exe -
Downloads MZ/PE file
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 4456 attrib.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation service.exe Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation tmp7DD0.exe Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation csrss.exe -
Executes dropped EXE 4 IoCs
pid Process 4432 tmp7DD0.exe 3464 csrss.exe 2768 Extreme Injector v3.exe 5108 csrss.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3560 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4440 timeout.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ tmp7DD0.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 1228 powershell.exe 1228 powershell.exe 3464 csrss.exe 3464 csrss.exe 3464 csrss.exe 3464 csrss.exe 3464 csrss.exe 3464 csrss.exe 3464 csrss.exe 3464 csrss.exe 3464 csrss.exe 3464 csrss.exe 3464 csrss.exe 3464 csrss.exe 3464 csrss.exe 3464 csrss.exe 3464 csrss.exe 3464 csrss.exe 3464 csrss.exe 3464 csrss.exe 3464 csrss.exe 3464 csrss.exe 3464 csrss.exe 3464 csrss.exe 3464 csrss.exe -
Suspicious use of AdjustPrivilegeToken 56 IoCs
description pid Process Token: SeDebugPrivilege 1228 powershell.exe Token: SeIncreaseQuotaPrivilege 1228 powershell.exe Token: SeSecurityPrivilege 1228 powershell.exe Token: SeTakeOwnershipPrivilege 1228 powershell.exe Token: SeLoadDriverPrivilege 1228 powershell.exe Token: SeSystemProfilePrivilege 1228 powershell.exe Token: SeSystemtimePrivilege 1228 powershell.exe Token: SeProfSingleProcessPrivilege 1228 powershell.exe Token: SeIncBasePriorityPrivilege 1228 powershell.exe Token: SeCreatePagefilePrivilege 1228 powershell.exe Token: SeBackupPrivilege 1228 powershell.exe Token: SeRestorePrivilege 1228 powershell.exe Token: SeShutdownPrivilege 1228 powershell.exe Token: SeDebugPrivilege 1228 powershell.exe Token: SeSystemEnvironmentPrivilege 1228 powershell.exe Token: SeRemoteShutdownPrivilege 1228 powershell.exe Token: SeUndockPrivilege 1228 powershell.exe Token: SeManageVolumePrivilege 1228 powershell.exe Token: 33 1228 powershell.exe Token: 34 1228 powershell.exe Token: 35 1228 powershell.exe Token: 36 1228 powershell.exe Token: SeDebugPrivilege 2768 Extreme Injector v3.exe Token: 33 2768 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 2768 Extreme Injector v3.exe Token: SeDebugPrivilege 2768 Extreme Injector v3.exe Token: 33 2768 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 2768 Extreme Injector v3.exe Token: 33 2768 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 2768 Extreme Injector v3.exe Token: 33 2768 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 2768 Extreme Injector v3.exe Token: 33 2768 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 2768 Extreme Injector v3.exe Token: 33 2768 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 2768 Extreme Injector v3.exe Token: 33 2768 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 2768 Extreme Injector v3.exe Token: 33 2768 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 2768 Extreme Injector v3.exe Token: 33 2768 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 2768 Extreme Injector v3.exe Token: SeDebugPrivilege 3464 csrss.exe Token: 33 2768 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 2768 Extreme Injector v3.exe Token: 33 2768 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 2768 Extreme Injector v3.exe Token: 33 2768 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 2768 Extreme Injector v3.exe Token: 33 2768 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 2768 Extreme Injector v3.exe Token: 33 2768 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 2768 Extreme Injector v3.exe Token: 33 2768 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 2768 Extreme Injector v3.exe Token: SeDebugPrivilege 5108 csrss.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2768 Extreme Injector v3.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2748 wrote to memory of 1648 2748 service.exe 85 PID 2748 wrote to memory of 1648 2748 service.exe 85 PID 2748 wrote to memory of 1648 2748 service.exe 85 PID 1648 wrote to memory of 1228 1648 WScript.exe 86 PID 1648 wrote to memory of 1228 1648 WScript.exe 86 PID 1648 wrote to memory of 1228 1648 WScript.exe 86 PID 1228 wrote to memory of 4456 1228 powershell.exe 97 PID 1228 wrote to memory of 4456 1228 powershell.exe 97 PID 1228 wrote to memory of 4456 1228 powershell.exe 97 PID 1228 wrote to memory of 4432 1228 powershell.exe 98 PID 1228 wrote to memory of 4432 1228 powershell.exe 98 PID 1228 wrote to memory of 4432 1228 powershell.exe 98 PID 4432 wrote to memory of 3464 4432 tmp7DD0.exe 99 PID 4432 wrote to memory of 3464 4432 tmp7DD0.exe 99 PID 4432 wrote to memory of 2768 4432 tmp7DD0.exe 100 PID 4432 wrote to memory of 2768 4432 tmp7DD0.exe 100 PID 3464 wrote to memory of 1472 3464 csrss.exe 103 PID 3464 wrote to memory of 1472 3464 csrss.exe 103 PID 3464 wrote to memory of 4780 3464 csrss.exe 105 PID 3464 wrote to memory of 4780 3464 csrss.exe 105 PID 1472 wrote to memory of 3560 1472 cmd.exe 107 PID 1472 wrote to memory of 3560 1472 cmd.exe 107 PID 4780 wrote to memory of 4440 4780 cmd.exe 108 PID 4780 wrote to memory of 4440 4780 cmd.exe 108 PID 4780 wrote to memory of 5108 4780 cmd.exe 109 PID 4780 wrote to memory of 5108 4780 cmd.exe 109 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4456 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\service.exe"C:\Users\Admin\AppData\Local\Temp\service.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Unrestricted -nologo -command .\service.ps13⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\attrib.exe"C:\Windows\system32\attrib.exe" +s +h C:\Users\Admin\AppData\Local\Temp\tmp7DD0.exe4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4456
-
-
C:\Users\Admin\AppData\Local\Temp\tmp7DD0.exe"C:\Users\Admin\AppData\Local\Temp\tmp7DD0.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Users\Admin\AppData\Local\Temp\csrss.exe"C:\Users\Admin\AppData\Local\Temp\csrss.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Roaming\csrss.exe"' & exit6⤵
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Roaming\csrss.exe"'7⤵
- Creates scheduled task(s)
PID:3560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE479.tmp.bat""6⤵
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\system32\timeout.exetimeout 37⤵
- Delays execution with timeout.exe
PID:4440
-
-
C:\Users\Admin\AppData\Roaming\csrss.exe"C:\Users\Admin\AppData\Roaming\csrss.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5108
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2768
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
425B
MD5fff5cbccb6b31b40f834b8f4778a779a
SHA1899ed0377e89f1ed434cfeecc5bc0163ebdf0454
SHA256b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76
SHA5121a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9
-
Filesize
1.9MB
MD5ec801a7d4b72a288ec6c207bb9ff0131
SHA132eec2ae1f9e201516fa7fcdc16c4928f7997561
SHA256b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46
SHA512a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac
-
Filesize
1.9MB
MD5ec801a7d4b72a288ec6c207bb9ff0131
SHA132eec2ae1f9e201516fa7fcdc16c4928f7997561
SHA256b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46
SHA512a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac
-
Filesize
1.9MB
MD5ec801a7d4b72a288ec6c207bb9ff0131
SHA132eec2ae1f9e201516fa7fcdc16c4928f7997561
SHA256b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46
SHA512a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac
-
Filesize
147B
MD5e04e55d2e6cc3d920631fdc5d6dcc1ce
SHA12c4dbcff71f8678623a7c197440ec281804dc5a5
SHA256f641a99ec7e549970c81d724766f2a60ff031a5ec92aa6fc84228c82eeb4b4eb
SHA5129511fe4dc599187f4539b8cda476550c54e86cbfcaca339a5db12e980ec322bf488d7458bf76089aa1d845f164f7ddb8adea017923d9a4930b9e821b7a4ae998
-
Filesize
797B
MD5eb9c76ab230c2b8527d504429d7aca20
SHA1ca4fc2fcb5023fa8398fc5a0c15e7ad23a61e8cb
SHA256f985277690d6c85a064bc5d494d20d0774fb5017eaf7874685378c538bd49dbf
SHA512f791797d8301242f2334767153ae7133193cee75538ce38b9d5fa5b60388428a8808c22eb08dd070f6f7e3ce556cf1f04883285eaa44ddf8aba1bd67886429c2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
63KB
MD54e8ed7a82d6919108934eaa3fcd3ed9f
SHA1f74a1c9fc02c8374ec0ee68438ae309f1f61ff41
SHA256c933e7ccae64ffe87abb6f685c4d82ba2de7c9ff56523136e42d56b82b48b364
SHA5122fc905d288a820d08d30b5ba64989406a89a2694af191e900bdde1e55c42ddce66cb5de9f562f8018c115029e5b210dc7b51204c2dccb73d561f5bbd996dfdad
-
Filesize
63KB
MD54e8ed7a82d6919108934eaa3fcd3ed9f
SHA1f74a1c9fc02c8374ec0ee68438ae309f1f61ff41
SHA256c933e7ccae64ffe87abb6f685c4d82ba2de7c9ff56523136e42d56b82b48b364
SHA5122fc905d288a820d08d30b5ba64989406a89a2694af191e900bdde1e55c42ddce66cb5de9f562f8018c115029e5b210dc7b51204c2dccb73d561f5bbd996dfdad
-
Filesize
63KB
MD54e8ed7a82d6919108934eaa3fcd3ed9f
SHA1f74a1c9fc02c8374ec0ee68438ae309f1f61ff41
SHA256c933e7ccae64ffe87abb6f685c4d82ba2de7c9ff56523136e42d56b82b48b364
SHA5122fc905d288a820d08d30b5ba64989406a89a2694af191e900bdde1e55c42ddce66cb5de9f562f8018c115029e5b210dc7b51204c2dccb73d561f5bbd996dfdad
-
Filesize
2.3MB
MD583a24ea1847f5cbb5508785abb5126ea
SHA163930e7171d1fc94fd4ec745392b3a1136cb0496
SHA256246b30f2dc863cc247d9ad8bff17e1ec92f2282810f47f42634c0bb7883ba268
SHA512fb6fbeb92bf4fee54f46e4dd75703cc85ebec3e57594fd7cb14874c096c2783ad896c863ba34c594f368d5c16df6a264e50dbb06d674c565d426dd2ddfe3890e
-
Filesize
2.3MB
MD583a24ea1847f5cbb5508785abb5126ea
SHA163930e7171d1fc94fd4ec745392b3a1136cb0496
SHA256246b30f2dc863cc247d9ad8bff17e1ec92f2282810f47f42634c0bb7883ba268
SHA512fb6fbeb92bf4fee54f46e4dd75703cc85ebec3e57594fd7cb14874c096c2783ad896c863ba34c594f368d5c16df6a264e50dbb06d674c565d426dd2ddfe3890e
-
Filesize
149B
MD5b72a4ad50c4c34797a4dd18d888ab0eb
SHA1de0c2af2871c59edc145b23f3154623c7be36e72
SHA256414f31ba089ad5fc2a71d549d284fdc005a13b789dcc72d2d25b09ca9118bb53
SHA512ea271d70752e86b70aa933a1c00253593eaf0b686415c894462390fb9364969f0719290f97fa3d5d02651cda5b15f7999a88c0b16ef54984535db21fd48100ea
-
Filesize
63KB
MD54e8ed7a82d6919108934eaa3fcd3ed9f
SHA1f74a1c9fc02c8374ec0ee68438ae309f1f61ff41
SHA256c933e7ccae64ffe87abb6f685c4d82ba2de7c9ff56523136e42d56b82b48b364
SHA5122fc905d288a820d08d30b5ba64989406a89a2694af191e900bdde1e55c42ddce66cb5de9f562f8018c115029e5b210dc7b51204c2dccb73d561f5bbd996dfdad
-
Filesize
63KB
MD54e8ed7a82d6919108934eaa3fcd3ed9f
SHA1f74a1c9fc02c8374ec0ee68438ae309f1f61ff41
SHA256c933e7ccae64ffe87abb6f685c4d82ba2de7c9ff56523136e42d56b82b48b364
SHA5122fc905d288a820d08d30b5ba64989406a89a2694af191e900bdde1e55c42ddce66cb5de9f562f8018c115029e5b210dc7b51204c2dccb73d561f5bbd996dfdad