Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
17/03/2023, 06:22
Static task
static1
Behavioral task
behavioral1
Sample
service.exe
Resource
win7-20230220-en
General
-
Target
service.exe
-
Size
237KB
-
MD5
ab439c03eb89bc15757588b7b030bea6
-
SHA1
50411b04ba6c51aab0f706e3a54fc548b5f8df0f
-
SHA256
be067c2c7c5a474442339d8adc999a0a288d56890d9781e88f536b6183cd398c
-
SHA512
7784fb618db8f2951bd8032154da86c9f139d51a4e541c9924cfccab99862efbcf92b8cbd582714e5f243d2cd5ee1b9fa2bb076f7d9b683e4b57e7b9e347c9a7
-
SSDEEP
3072:r4tWK9YMDbz6fV/NpbnyAGJwhOnQdT1MgvAOdj8MXoiTYfSHw69pJZXAqacHy1ly:m9j76xnImFZ1MmF8QTU/urSiLfTP8U
Malware Config
Extracted
https://pastebin.com/raw/vNcCt60A
Extracted
asyncrat
0.5.7B
Default
Mutex
-
delay
3
-
install
false
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/s14cUU5G
Signatures
-
Async RAT payload 3 IoCs
resource yara_rule behavioral2/files/0x000600000002313e-184.dat asyncrat behavioral2/files/0x000600000002313e-186.dat asyncrat behavioral2/memory/5032-187-0x0000000000570000-0x0000000000582000-memory.dmp asyncrat -
Blocklisted process makes network request 2 IoCs
flow pid Process 44 3852 powershell.exe 46 3852 powershell.exe -
Downloads MZ/PE file
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 4512 attrib.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation service.exe Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp1DD4.exe powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp1DD4.exe attrib.exe -
Executes dropped EXE 1 IoCs
pid Process 5032 tmp1DD4.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings service.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3852 powershell.exe 3852 powershell.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 3852 powershell.exe Token: SeIncreaseQuotaPrivilege 3852 powershell.exe Token: SeSecurityPrivilege 3852 powershell.exe Token: SeTakeOwnershipPrivilege 3852 powershell.exe Token: SeLoadDriverPrivilege 3852 powershell.exe Token: SeSystemProfilePrivilege 3852 powershell.exe Token: SeSystemtimePrivilege 3852 powershell.exe Token: SeProfSingleProcessPrivilege 3852 powershell.exe Token: SeIncBasePriorityPrivilege 3852 powershell.exe Token: SeCreatePagefilePrivilege 3852 powershell.exe Token: SeBackupPrivilege 3852 powershell.exe Token: SeRestorePrivilege 3852 powershell.exe Token: SeShutdownPrivilege 3852 powershell.exe Token: SeDebugPrivilege 3852 powershell.exe Token: SeSystemEnvironmentPrivilege 3852 powershell.exe Token: SeRemoteShutdownPrivilege 3852 powershell.exe Token: SeUndockPrivilege 3852 powershell.exe Token: SeManageVolumePrivilege 3852 powershell.exe Token: 33 3852 powershell.exe Token: 34 3852 powershell.exe Token: 35 3852 powershell.exe Token: 36 3852 powershell.exe Token: SeDebugPrivilege 5032 tmp1DD4.exe Token: SeDebugPrivilege 5032 tmp1DD4.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 756 wrote to memory of 2452 756 service.exe 85 PID 756 wrote to memory of 2452 756 service.exe 85 PID 756 wrote to memory of 2452 756 service.exe 85 PID 2452 wrote to memory of 3852 2452 WScript.exe 86 PID 2452 wrote to memory of 3852 2452 WScript.exe 86 PID 2452 wrote to memory of 3852 2452 WScript.exe 86 PID 3852 wrote to memory of 4512 3852 powershell.exe 97 PID 3852 wrote to memory of 4512 3852 powershell.exe 97 PID 3852 wrote to memory of 4512 3852 powershell.exe 97 PID 3852 wrote to memory of 5032 3852 powershell.exe 98 PID 3852 wrote to memory of 5032 3852 powershell.exe 98 PID 3852 wrote to memory of 5032 3852 powershell.exe 98 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4512 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\service.exe"C:\Users\Admin\AppData\Local\Temp\service.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Unrestricted -nologo -command .\service.ps13⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\SysWOW64\attrib.exe"C:\Windows\System32\attrib.exe" +s +h .\\tmp1DD4.exe4⤵
- Sets file to hidden
- Drops startup file
- Views/modifies file attributes
PID:4512
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp1DD4.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp1DD4.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5032
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147B
MD5e04e55d2e6cc3d920631fdc5d6dcc1ce
SHA12c4dbcff71f8678623a7c197440ec281804dc5a5
SHA256f641a99ec7e549970c81d724766f2a60ff031a5ec92aa6fc84228c82eeb4b4eb
SHA5129511fe4dc599187f4539b8cda476550c54e86cbfcaca339a5db12e980ec322bf488d7458bf76089aa1d845f164f7ddb8adea017923d9a4930b9e821b7a4ae998
-
Filesize
949B
MD58a97b217587bf21df5b6be29428a1251
SHA133bc1ad54acc40f29d1b09767811c4a9f779f9a5
SHA256ac975c8129b58f138e0f9880d5d63e6ca9e350c875e09a6dd5c16b40eaa9ea0d
SHA512944c4fbbb3e92afad4cb4fc9f675cbe0b12ff3ef371fa1a5acdffb8489d7c7dde6e2cb8c2a1e194db9eba8e7c74db82b91ceaa40bc3f189924adaeae01cc2409
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
48KB
MD5fa378b2bb6985eec44142dca9f381985
SHA15b6614fcfc131772ab7d8e9df13b84a9c8b8aec0
SHA25607280cbf4815aba1b1841d4eeb86df01483c240301006c4f1d566e152e1ad783
SHA512117dbd8efaedec137667fd6cd64db0ad2d1396118aeb29fcbf2e7876c4f68d085ccfe5526f586aedbd5e22d4f4e986ff1660b182e6f375d46cd900efe57cc0fa
-
Filesize
48KB
MD5fa378b2bb6985eec44142dca9f381985
SHA15b6614fcfc131772ab7d8e9df13b84a9c8b8aec0
SHA25607280cbf4815aba1b1841d4eeb86df01483c240301006c4f1d566e152e1ad783
SHA512117dbd8efaedec137667fd6cd64db0ad2d1396118aeb29fcbf2e7876c4f68d085ccfe5526f586aedbd5e22d4f4e986ff1660b182e6f375d46cd900efe57cc0fa