Analysis
-
max time kernel
20s -
max time network
35s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
17/03/2023, 03:21
Static task
static1
General
-
Target
Christine-Fink_ByZrar.scr
-
Size
173.3MB
-
MD5
acda0aa3ac109f59131c728eea4b06d8
-
SHA1
0cf9a9b70bcb179c24e54b56003176e111c8646d
-
SHA256
b9ddb91a6de8542f1bbf920fbf40cc84780e18a3865b4f6407b4b168af0d13c5
-
SHA512
93e50e73a24a84b186ecd9f7ce3e512ada50b2c4c411d076b2829310c54db02323d3f5529bb11d22f21b76cd49e975925a84c7749d92b397bb9509b3e8796e85
-
SSDEEP
1572864:RgkU31ipgnoAQ3GJ/j7gbZQwxx3WIXHQmBUucN:RgkU1SrBm/fI3QiXcN
Malware Config
Extracted
asyncrat
0.5.7B
Default
Mutex
-
delay
3
-
install
false
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/3Z9zi18j
Signatures
-
Async RAT payload 4 IoCs
resource yara_rule behavioral1/files/0x00030000000230e4-140.dat asyncrat behavioral1/files/0x00030000000230e4-211.dat asyncrat behavioral1/files/0x00030000000230e4-213.dat asyncrat behavioral1/memory/4680-214-0x0000000000E10000-0x0000000000E22000-memory.dmp asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation Christine-Fink_ByZrar.scr -
Executes dropped EXE 1 IoCs
pid Process 4680 csrss.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings Christine-Fink_ByZrar.scr Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Christine-Fink_ByZrar.scr -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4680 csrss.exe Token: SeDebugPrivilege 4680 csrss.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4404 wrote to memory of 4680 4404 Christine-Fink_ByZrar.scr 90 PID 4404 wrote to memory of 4680 4404 Christine-Fink_ByZrar.scr 90 PID 4404 wrote to memory of 4680 4404 Christine-Fink_ByZrar.scr 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\Christine-Fink_ByZrar.scr"C:\Users\Admin\AppData\Local\Temp\Christine-Fink_ByZrar.scr" /S1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Users\Admin\AppData\Local\Temp\csrss.exe"C:\Users\Admin\AppData\Local\Temp\csrss.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4680
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4112
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD580536cf3325d6dbd0d961300bce4e707
SHA158c1868bc443e509d9fa2d268c6bd0be66e52ebd
SHA256ddef87f68cddede60375bb1dc0b44842166362d04040851894a9583805bfd831
SHA5125786ffe93fa20e6adf359d2af94a6d27a793279361a6dbb0ab117b1aae93c306333dccaeeedfe7e6f435624a19a705afde9b4775d78d296f8caa1c2a71db298b
-
Filesize
48KB
MD580536cf3325d6dbd0d961300bce4e707
SHA158c1868bc443e509d9fa2d268c6bd0be66e52ebd
SHA256ddef87f68cddede60375bb1dc0b44842166362d04040851894a9583805bfd831
SHA5125786ffe93fa20e6adf359d2af94a6d27a793279361a6dbb0ab117b1aae93c306333dccaeeedfe7e6f435624a19a705afde9b4775d78d296f8caa1c2a71db298b
-
Filesize
48KB
MD580536cf3325d6dbd0d961300bce4e707
SHA158c1868bc443e509d9fa2d268c6bd0be66e52ebd
SHA256ddef87f68cddede60375bb1dc0b44842166362d04040851894a9583805bfd831
SHA5125786ffe93fa20e6adf359d2af94a6d27a793279361a6dbb0ab117b1aae93c306333dccaeeedfe7e6f435624a19a705afde9b4775d78d296f8caa1c2a71db298b